Path Traversal Vulnerability in Apache IoTDB Affecting Trigger Instances
CVE-2026-24014

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-24014?

The Apache IoTDB DataNode's RPC interface for creating Trigger instances lacks adequate validation of the uploaded Trigger JAR names. This vulnerability allows attackers to exploit the internal DataNode RPC port, which, if exposed to an untrusted network, can lead to unauthorized file writes outside the designated Trigger installation directory. Consequently, attackers could manipulate files with the existing permissions of the IoTDB process. Users are advised to upgrade to version 2.0.8, which effectively resolves this issue.

Affected Version(s)

Apache IoTDB 1.3.3 < 2.0.8

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yan Nan (Detecon Security Lab).
.