Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AC:H because exploitation requires the non-default condition of the internal DataNode RPC port being network-exposed; PR:N since no auth is needed once reachable; C/I/A:H as attacker-controlled file write is credibly escalatable to RCE.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The DataNode's internal RPC port (the inter-node Thrift interface, normally reachable only by other cluster nodes) must be exposed to a network the attacker can reach - this is the explicit precondition in the advisory and the primary limiting factor, since correctly segmented clusters keep this port internal-only. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict and must be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to an exposed DataNode internal RPC port sends a Trigger-creation request whose JAR filename contains '../' traversal sequences, causing IoTDB to write the attacker-supplied JAR (or arbitrary bytes) to a location outside the Trigger directory - for example over a configuration file, an executable, or a scheduled/startup artifact owned by the IoTDB process. By overwriting a file that IoTDB or the host later executes, the attacker can escalate the file-write primitive toward code execution as the IoTDB service account. … |
| Remediation | Vendor-released patch: upgrade Apache IoTDB to version 2.0.8, which fixes the insufficient JAR-name validation, per the Apache advisory (https://lists.apache.org/thread/38298f803gb5j9nlhf0l9zkf34o90h3m). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Apache IoTDB deployments and verify DataNode RPC port exposure (internal vs. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Iotdb
View allUnsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag
Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB
Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the
Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi
Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las
Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack
Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth
Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own
Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil
Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41854
GHSA-rpg4-r93p-w6gg