CVE-2026-24013
Apache Software Foundation · Apache IoTDB
Apache IoTDB contains an authentication bypass vulnerability in its Thrift RPC handlers, allowing unauthenticated attackers to spoof session IDs and access query results.
Executive summary
An authentication bypass vulnerability in Apache IoTDB allows unauthenticated attackers to spoof session IDs and gain unauthorized access to sensitive time-series data.
Vulnerability
The vulnerability exists in the Thrift RPC query handlers, which perform insufficient validation on the 'sessionId' parameter. This allows an attacker to bypass the 'openSession' authentication requirement and execute queries as a spoofed user.
Business impact
The ability to bypass authentication to access time-series data can lead to the exposure of industrial or operational data, potentially impacting business intelligence and proprietary information. Given the CVSS score of 9.1, this vulnerability poses a severe risk to data confidentiality and integrity, particularly in environments where IoTDB manages critical infrastructure telemetry.
Remediation
Immediate Action: Upgrade to Apache IoTDB version 2.0.8 immediately to secure the Thrift RPC interface.
Proactive Monitoring: Monitor RPC traffic for anomalous query patterns or requests that lack established session initialization sequences.
Compensating Controls: Restrict network access to the Thrift RPC port to trusted IP addresses only, effectively limiting the attack surface while planning for the deployment of the patch.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This is a critical authentication bypass that can be exploited by unauthenticated remote attackers. Organizations running Apache IoTDB should treat this update with high priority to prevent unauthorized data access and potential reconnaissance of sensitive time-series databases.