Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unauthenticated network RPC with no interaction gives AV:N/AC:L/PR:N/UI:N; description substantiates only data reading, so C:H but I:N/A:N.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Apache IoTDB Thrift RPC service and the ability to send RPC requests to one of the affected query handlers carrying a forged sessionId; no valid credentials and no prior openSession call are needed (PR:N, no authentication). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:N, score 9.1) describes a trivially reachable, network-based, unauthenticated attack - a genuinely high-severity signal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to the IoTDB Thrift RPC port crafts a query RPC populated with a forged sessionId, skipping the normal openSession authentication step entirely. The affected handler processes the request as if authenticated and returns time-series query results, letting the attacker exfiltrate sensor and telemetry data. … |
| Remediation | Vendor-released patch: upgrade Apache IoTDB to version 2.0.8, which the Apache project states fixes the issue - this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache IoTDB installations and confirm affected versions (1.3.3-2.0.7) in inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Iotdb
View allUnsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag
Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re
Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB
Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the
Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi
Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las
Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack
Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own
Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil
Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41857
GHSA-qx5v-jm63-wqfj