Skip to main content

Apache IoTDB CVE-2026-40452

| EUVDEUVD-2026-42838 HIGH
Incorrect Authorization (CWE-863)
2026-07-10 apache GHSA-xxj7-h37p-p48c
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible REST API (AV:N), low complexity, requires valid credentials (PR:L), read-only last-value data disclosure with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 09:16 EUVD
Analysis Generated
Jul 10, 2026 - 08:30 vuln.today

DescriptionCVE.org

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users.

This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

AnalysisAI

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid IoTDB credentials
Delivery
Connect to REST v2 API endpoint
Exploit
Send request to /rest/v2/fastLastQuery
Execution
Authorization check bypassed
Impact
Retrieve last-value time-series data outside authorized scope

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the Apache IoTDB instance - the phrase 'unauthorized authenticated users' in the description confirms that credentials are necessary but that the authorization layer beyond authentication is what fails. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided by NVD at time of analysis, and no EPSS probability is available, which limits quantitative risk comparison. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated IoTDB user with a low-privilege account - for example, a read-only service account scoped to a specific storage group - sends a direct HTTP GET request to /rest/v2/fastLastQuery targeting time-series paths outside their authorized scope. The authorization check is bypassed and the server returns the most recent sensor values for the queried paths, exposing potentially sensitive telemetry data such as equipment readings or operational metrics from other tenants or groups. …
Remediation Upgrade to Apache IoTDB version 2.0.10 or later, which is confirmed by the vendor to fix this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40008 CRITICAL
9.8 Jul 10

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in

CVE-2026-28564 CRITICAL
9.8 Jul 10

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials ag

CVE-2026-24014 CRITICAL
9.8 Jul 06

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re

CVE-2026-40005 CRITICAL
9.1 Jul 10

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB

CVE-2026-40006 HIGH
7.5 Jul 10

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the

CVE-2026-24012 HIGH
7.5 Jul 06

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi

CVE-2026-40007 HIGH
7.5 Jul 10

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack

CVE-2026-24013 CRITICAL
9.1 Jul 06

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth

CVE-2026-40009 MEDIUM
6.5 Jul 10

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own

CVE-2025-64152 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil

CVE-2025-55017 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi

Share

CVE-2026-40452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy