CVE-2026-28564

Apache · IoTDB

A session expiration and authentication bypass vulnerability in Apache IoTDB allows attackers to reuse stale credentials to gain unauthorized access via REST Basic Authentication.

Executive summary

A critical authentication bypass flaw in Apache IoTDB allows unauthenticated attackers to gain unauthorized access by replaying stale, cached credentials.

Vulnerability

This issue stems from insufficient session expiration and a capture-replay vulnerability (CWE-613, CWE-294) in the REST Basic Authentication mechanism. Unauthenticated attackers can capture or utilize stale credentials to bypass authentication controls and gain access to the system.

Business impact

With a CVSS score of 9.8, this vulnerability allows for complete compromise of the affected IoTDB instance. Unauthorized access enables attackers to exfiltrate sensitive data, manipulate operational databases, and potentially gain further access to the internal network. This represents a catastrophic risk to confidentiality, integrity, and availability.

Remediation

Immediate Action: Upgrade Apache IoTDB to version 2.0.10 or later to implement proper session management and secure authentication practices.

Proactive Monitoring: Review authentication logs for suspicious patterns, such as multiple successful logins using historically used or stale session tokens.

Compensating Controls: Implement strict network access controls to limit access to the REST API to trusted IP addresses only until the patch can be applied.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is critical due to its ease of exploitation and the depth of access granted to an attacker. Organizations must treat this as a high-urgency update and migrate to version 2.0.10 to prevent unauthorized access and potential data breaches.