CVE-2026-24014
Apache Software Foundation · IoTDB
A path traversal vulnerability in the Apache IoTDB DataNode RPC interface allows unauthenticated attackers to perform arbitrary file writes.
Executive summary
The Apache IoTDB DataNode interface is vulnerable to arbitrary file write attacks, which could lead to full system compromise if the internal RPC port is exposed to untrusted networks.
Vulnerability
The vulnerability exists in the internal RPC interface used for creating Trigger instances. An unauthenticated attacker can supply malicious path traversal sequences in the JAR name parameter, allowing them to write files outside of the intended directory with the permissions of the IoTDB process.
Business impact
The ability to write arbitrary files to the host system presents a critical risk, potentially allowing an attacker to overwrite configuration files, inject malicious scripts, or achieve remote code execution. Given the CVSS score of 9.8, this vulnerability carries a high risk of total system compromise, leading to severe data loss, unauthorized access to sensitive operational technology (OT) data, and significant operational downtime.
Remediation
Immediate Action: Upgrade Apache IoTDB to version 2.0.8 or later immediately to resolve the file path validation flaw.
Proactive Monitoring: Review access logs for suspicious RPC traffic and monitor for the creation of unexpected files or JAR deployments within the IoTDB installation path.
Compensating Controls: Ensure the internal DataNode RPC port is strictly firewalled and not exposed to any untrusted network or public internet.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is critical due to the potential for unauthenticated remote code execution. Administrators should prioritize the update to version 2.0.8 and verify that network segmentation rules prevent unauthorized access to the DataNode RPC interface.