Unsafe Reflection Vulnerability in Apache IoTDB Software
CVE-2026-40008

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
10 July 2026

What is CVE-2026-40008?

The vulnerability in Apache IoTDB arises from the pipe processor's mechanism of reading fully qualified Java class names and instantiating them using Class.forName().newInstance(). This process lacks proper validation and allowlisting, enabling potential exploitation by malicious actors to execute arbitrary code. Users are strongly recommended to upgrade to Apache IoTDB version 2.0.10 or later to mitigate this security threat.

Affected Version(s)

Apache IoTDB 1.0.0 < 2.0.10

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino
.