CVE-2026-40006

Apache Software Foundation · Apache IoTDB

Apache IoTDB contains multiple vulnerabilities including missing authentication and improper resource management, allowing unauthenticated remote attackers to trigger denial-of-service conditions.

Executive summary

A high-severity vulnerability in Apache IoTDB allows unauthenticated attackers to cause a denial-of-service (DoS) condition via remote memory exhaustion.

Vulnerability

The vulnerability stems from improper memory allocation and a lack of authentication for the AirGap pipe receiver (port 9780). An unauthenticated attacker can send crafted TCP requests that bypass security checks, triggering excessive heap memory allocation and resource exhaustion.

Business impact

Successful exploitation of this vulnerability results in a denial-of-service, rendering the IoTDB service unavailable. With a CVSS score of 7.5, the impact is significant for organizations relying on IoTDB for real-time data ingestion and processing. Because the attack vector is network-based and requires no authentication, the potential for service disruption is high, which could lead to operational downtime and data processing delays.

Remediation

Immediate Action: Upgrade Apache IoTDB to version 2.0.10 or later to apply the necessary authentication controls and resource throttling.

Proactive Monitoring: Monitor network traffic to port 9780 for unusual connection spikes and review server logs for signs of unexpected memory pressure or service crashes.

Compensating Controls: If an immediate upgrade is not feasible, restrict network access to port 9780 via firewall rules to trusted IP addresses only, or disable the pipe_air_gap_receiver_enabled configuration if it is not required for your operations.

Exploitation status

Public Exploit Available: No (no confirmed public exploit available).

Analyst recommendation

Given the ease of exploitation over the network and the critical impact on service availability, administrators should prioritize patching to version 2.0.10. Organizations that cannot update immediately must implement strict network-level access controls to the affected port to prevent unauthorized access and potential service degradation.