Skip to main content

Apache IoTDB CVE-2026-40009

| EUVDEUVD-2026-42837 MEDIUM
Improper Privilege Management (CWE-269)
2026-07-10 apache GHSA-hmrq-mg25-fh98
6.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
6.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
8.8 HIGH

Network-reachable database service exploited by an authenticated low-privilege user (PR:L) via a deterministic rename (AC:L, no UI); escalation to full tree-path access yields high confidentiality, integrity, and availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 09:16 EUVD
Analysis Generated
Jul 10, 2026 - 08:21 vuln.today

DescriptionCVE.org

Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor.

This issue affects Apache IoTDB: from 2.0.8 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

AnalysisAI

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own account to the reserved '__internal_auditor' identity and thereby inherit full tree-path access across all stored time-series data. The flaw stems from the system trusting a reserved auditor username without protecting it from ordinary user-driven renames, so a normal database user can self-promote to auditor-level authority. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Invoke self user-rename operation
Exploit
Rename account to __internal_auditor
Execution
Inherit reserved auditor authority
Impact
Gain full tree-path access to all data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Apache IoTDB account on a server running an affected version (2.0.8 or 2.0.9) and the ability to invoke the user self-rename functionality; the concrete trigger is renaming one's own account to the reserved identity '__internal_auditor', which the system fails to protect. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, KEV entry, or POC was provided, so quantitative signals are absent and the assessment relies on the description and CWE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds any legitimate low-privilege IoTDB account - for example a contractor, a compromised application service account, or a curious internal user - issues a user-rename operation changing their own username to '__internal_auditor'. The system then treats them as the reserved auditor principal, granting full tree-path access to read and manipulate all time-series data across the database. …
Remediation Vendor-released patch: Apache IoTDB 2.0.10 - upgrade all 2.0.8 and 2.0.9 deployments to 2.0.10 or later, which fixes the reserved-name handling. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory systems running Apache IoTDB 2.0.8 or 2.0.9 and assess stored data sensitivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40008 CRITICAL
9.8 Jul 10

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in

CVE-2026-28564 CRITICAL
9.8 Jul 10

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag

CVE-2026-24014 CRITICAL
9.8 Jul 06

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re

CVE-2026-40005 CRITICAL
9.1 Jul 10

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB

CVE-2026-40006 HIGH
7.5 Jul 10

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the

CVE-2026-24012 HIGH
7.5 Jul 06

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi

CVE-2026-40452 HIGH
7.5 Jul 10

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las

CVE-2026-40007 HIGH
7.5 Jul 10

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack

CVE-2026-24013 CRITICAL
9.1 Jul 06

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth

CVE-2025-64152 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil

CVE-2025-55017 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi

Share

CVE-2026-40009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy