Improper Access Control in Apache IoTDB Affecting Authenticated Users
CVE-2026-40009

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
10 July 2026

What is CVE-2026-40009?

An improper access control vulnerability exists in Apache IoTDB that allows authenticated users to escalate their privileges. By renaming themselves to '__internal_auditor', users can gain unauthorized access to full tree-paths within the system. This issue affects versions 2.0.8 through 2.0.9, which may expose sensitive data and system integrity. Users are strongly advised to upgrade to version 2.0.10, which resolves this vulnerability and enhances overall security.

Affected Version(s)

Apache IoTDB 2.0.8 < 2.0.10

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bugbunny.ai
.