A critical authentication bypass in Apache Druid allows unauthenticated attackers to gain unauthorized access to clusters and sensitive data if LDAP anonymous binds are enabled.

When using the druid-basic-security extension with LDAP, Druid improperly validates authentication responses. If the LDAP server allows anonymous binds, an unauthenticated attacker can provide a valid username and an empty password to bypass security checks.

The CVSS score of 9.8 reflects the high risk to data confidentiality and integrity. Attackers can gain unauthorized access to sensitive datasets, execute arbitrary queries, and potentially manipulate administrative interfaces. This could lead to a complete compromise of the Druid deployment and the business intelligence it supports.

Immediate Action: Disable anonymous binds on the underlying LDAP server or upgrade Apache Druid to version 36.0.0 or later.

Proactive Monitoring: Audit LDAP logs for successful binds with empty passwords and review Druid query logs for unauthorized access from unknown IP addresses.

Compensating Controls: Restrict network access to the Druid cluster using firewalls or VPNs to ensure only trusted traffic can reach the authentication endpoints.

Public Exploit Available: false

Organizations should prioritize disabling anonymous binds on their LDAP servers as a general security best practice, which serves as an immediate mitigation. Following this, upgrading to Druid 36.0.0 is essential to ensure the application correctly handles authentication logic regardless of LDAP settings.