Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable database service exploited by an authenticated low-privilege user (PR:L) via a deterministic rename (AC:L, no UI); escalation to full tree-path access yields high confidentiality, integrity, and availability impact.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor.
This issue affects Apache IoTDB: from 2.0.8 before 2.0.10.
Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own account to the reserved '__internal_auditor' identity and thereby inherit full tree-path access across all stored time-series data. The flaw stems from the system trusting a reserved auditor username without protecting it from ordinary user-driven renames, so a normal database user can self-promote to auditor-level authority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Apache IoTDB account on a server running an affected version (2.0.8 or 2.0.9) and the ability to invoke the user self-rename functionality; the concrete trigger is renaming one's own account to the reserved identity '__internal_auditor', which the system fails to protect. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, KEV entry, or POC was provided, so quantitative signals are absent and the assessment relies on the description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds any legitimate low-privilege IoTDB account - for example a contractor, a compromised application service account, or a curious internal user - issues a user-rename operation changing their own username to '__internal_auditor'. The system then treats them as the reserved auditor principal, granting full tree-path access to read and manipulate all time-series data across the database. … |
| Remediation | Vendor-released patch: Apache IoTDB 2.0.10 - upgrade all 2.0.8 and 2.0.9 deployments to 2.0.10 or later, which fixes the reserved-name handling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory systems running Apache IoTDB 2.0.8 or 2.0.9 and assess stored data sensitivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Iotdb
View allUnsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag
Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re
Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB
Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the
Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi
Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las
Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack
Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth
Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil
Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42837
GHSA-hmrq-mg25-fh98