CVE-2026-40452
- EPSS 0.14%
- Veröffentlicht 10.07.2026 07:16:05
- Zuletzt bearbeitet 10.07.2026 19:17:23
Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, fr...
CVE-2026-40009
- EPSS 0.13%
- Veröffentlicht 10.07.2026 07:15:07
- Zuletzt bearbeitet 10.07.2026 19:17:23
Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10....
CVE-2026-40008
- EPSS 0.25%
- Veröffentlicht 10.07.2026 07:13:27
- Zuletzt bearbeitet 10.07.2026 16:16:30
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validatio...
CVE-2026-40007
- EPSS 0.14%
- Veröffentlicht 10.07.2026 07:12:29
- Zuletzt bearbeitet 10.07.2026 16:16:30
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in ...
CVE-2026-40006
- EPSS 0.18%
- Veröffentlicht 10.07.2026 07:10:54
- Zuletzt bearbeitet 10.07.2026 16:16:29
Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver acc...
CVE-2026-40005
- EPSS 0.16%
- Veröffentlicht 10.07.2026 07:09:49
- Zuletzt bearbeitet 10.07.2026 16:16:29
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: f...
CVE-2026-28564
- EPSS 0.18%
- Veröffentlicht 10.07.2026 07:08:12
- Zuletzt bearbeitet 10.07.2026 16:16:28
Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to ...
CVE-2026-24013
- EPSS 0.47%
- Veröffentlicht 06.07.2026 08:38:54
- Zuletzt bearbeitet 07.07.2026 17:50:26
Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authe...
CVE-2026-24012
- EPSS 0.55%
- Veröffentlicht 06.07.2026 08:38:25
- Zuletzt bearbeitet 07.07.2026 17:53:36
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very larg...
CVE-2026-24014
- EPSS 0.51%
- Veröffentlicht 06.07.2026 08:34:26
- Zuletzt bearbeitet 07.07.2026 17:49:04
Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may...