Skip to main content

Apache IoTDB CVE-2026-24014

| EUVDEUVD-2026-41854 CRITICAL
Improper Access Control (CWE-284)
2026-07-06 apache GHSA-rpg4-r93p-w6gg
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

AC:H because exploitation requires the non-default condition of the internal DataNode RPC port being network-exposed; PR:N since no auth is needed once reachable; C/I/A:H as attacker-controlled file write is credibly escalatable to RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 06, 2026 - 20:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
9.8 (CRITICAL)
Patch available
Jul 06, 2026 - 10:01 EUVD
CVE Published
Jul 06, 2026 - 09:22 cve.org
HIGH
Analysis Generated
Jul 06, 2026 - 09:17 vuln.today

DescriptionCVE.org

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.

AnalysisAI

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed DataNode internal RPC port
Delivery
Invoke Trigger-create RPC
Exploit
Supply JAR name with ../ traversal
Execution
Write file outside Trigger directory
Persist
Overwrite config/startup artifact
Impact
Execute code as IoTDB process

Vulnerability AssessmentAI

Exploitation The DataNode's internal RPC port (the inter-node Thrift interface, normally reachable only by other cluster nodes) must be exposed to a network the attacker can reach - this is the explicit precondition in the advisory and the primary limiting factor, since correctly segmented clusters keep this port internal-only. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and must be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an exposed DataNode internal RPC port sends a Trigger-creation request whose JAR filename contains '../' traversal sequences, causing IoTDB to write the attacker-supplied JAR (or arbitrary bytes) to a location outside the Trigger directory - for example over a configuration file, an executable, or a scheduled/startup artifact owned by the IoTDB process. By overwriting a file that IoTDB or the host later executes, the attacker can escalate the file-write primitive toward code execution as the IoTDB service account. …
Remediation Vendor-released patch: upgrade Apache IoTDB to version 2.0.8, which fixes the insufficient JAR-name validation, per the Apache advisory (https://lists.apache.org/thread/38298f803gb5j9nlhf0l9zkf34o90h3m). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Apache IoTDB deployments and verify DataNode RPC port exposure (internal vs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40008 CRITICAL
9.8 Jul 10

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in

CVE-2026-28564 CRITICAL
9.8 Jul 10

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag

CVE-2026-40005 CRITICAL
9.1 Jul 10

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB

CVE-2026-40006 HIGH
7.5 Jul 10

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the

CVE-2026-24012 HIGH
7.5 Jul 06

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi

CVE-2026-40452 HIGH
7.5 Jul 10

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las

CVE-2026-40007 HIGH
7.5 Jul 10

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack

CVE-2026-24013 CRITICAL
9.1 Jul 06

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth

CVE-2026-40009 MEDIUM
6.5 Jul 10

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own

CVE-2025-64152 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil

CVE-2025-55017 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi

Share

CVE-2026-24014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy