CVE-2026-40452
Apache Software Foundation · Apache IoTDB
An authorization bypass in the Apache IoTDB /rest/v2/fastLastQuery endpoint allows authenticated users to access unauthorized last-value data.
Executive summary
A high-severity authorization bypass in Apache IoTDB allows authenticated users to access sensitive data they are not permitted to view.
Vulnerability
This is an incorrect authorization and improper access control vulnerability (CWE-863/CWE-284). The flaw resides in the /rest/v2/fastLastQuery endpoint, where the system fails to correctly validate the permissions of an authenticated user, enabling unauthorized access to last-value data.
Business impact
Successful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive industrial or time-series data managed by IoTDB. With a CVSS score of 7.5, this high-severity issue poses a significant risk to data confidentiality, potentially leading to operational intelligence leakage or violation of regulatory compliance requirements.
Remediation
Immediate Action: Upgrade to Apache IoTDB version 1.3.8 or 2.0.10 (or later) immediately to resolve the authorization logic error.
Proactive Monitoring: Review database access logs for anomalous patterns in requests to the /rest/v2/fastLastQuery endpoint, particularly from users with limited roles.
Compensating Controls: If immediate patching is not feasible, implement strict network-level access controls to restrict access to the REST API to known, trusted internal management segments.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for unauthorized data access and the high CVSS severity, organizations should prioritize upgrading their IoTDB deployments to the patched versions. The risk is elevated by the ease with which an authenticated attacker can leverage this bypass; therefore, applying the vendor-provided security update is the only definitive mitigation.