What is the CVSS score of CVE-2026-23906?

CVE-2026-23906 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of DNS are affected by CVE-2026-23906?

Apache Druid deployments using LDAP authentication are vulnerable to complete authentication bypass, allowing unauthorized access to sensitive data and analytics infrastructure.. A patch is available.

How to fix or mitigate CVE-2026-23906?

Within 24 hours: Inventory all Druid instances and confirm which have druid-basic-security and LDAP authenticator enabled; isolate affected systems from production networks if possible. Within 7 days: Implement network segmentation to restrict Druid access to authorized users only; enable enhanced logging and monitoring for authentication attempts; disable LDAP authentication temporarily if operationally feasible, switching to alternative authentication methods. Within 30 days: Upgrade to Apache Druid 36.0.0 or later once patch is released and validated; conduct access audit to detect unauthorized usage during vulnerability window.

DNS CVE-2026-23906

CRITICAL

Improper Authentication (CWE-287)

2026-02-10 security@apache.org

GHSA-q672-hfc7-g833

Apache DNS LDAP Authentication Bypass Druid

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 10, 2026 - 10:15 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 maven packages depend on org.apache.druid.extensions:druid-basic-security (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.17.0.

DescriptionCVE.org

Affected Products and Versions

Apache Druid
Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)
Prerequisites: * druid-basic-security extension enabled
LDAP authenticator configured
Underlying LDAP server permits anonymous bind

Vulnerability Description

An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.

The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.

Impact

A remote, unauthenticated attacker can:

Gain unauthorized access to the Apache Druid cluster
Access sensitive data stored in Druid datasources
Execute queries and potentially manipulate data
Access administrative interfaces if the bypassed account has elevated privileges
Completely compromise the confidentiality, integrity, and availability of the Druid deployment

Mitigation

Immediate Mitigation (No Druid Upgrade Required):

Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.

Resolution

Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.

AnalysisAI

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Connect to Druid cluster

Delivery

Send LDAP authentication request

Exploit

Bind anonymously to LDAP server

Execution

Bypass authentication check

Impact

Access Druid resources

Access

Connect to Druid cluster

Delivery

Send LDAP authentication request

Exploit

Bind anonymously to LDAP server

Execution

Bypass authentication check

Impact

Access Druid resources

Vulnerability AssessmentAI

Exploitation	druid-basic-security extension must be enabled with LDAP authenticator configured, and the underlying LDAP server must permit anonymous bind operations. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker bypasses Druid authentication to execute analytics queries, accessing sensitive business data.
Remediation	Update to Apache Druid 36.0.0. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Druid instances and confirm which have druid-basic-security and LDAP authenticator enabled; isolate affected systems from production networks if possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23906 vulnerability details – vuln.today

Back

DNS CVE-2026-23906

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code