Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploited over the network via SQL but requires the high-level 'create udf' privilege (PR:H); native in-process code execution yields full C/I/A impact with no scope change (S:U).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, a user with create udf privilege could upload a crafted shared library and install it as a user-defined function, such as eval, then execute arbitrary C code on the TDengine server side through database queries. This issue is fixed in version 3.4.1.15.
AnalysisAI
Server-side arbitrary code execution in TDengine time-series database (versions prior to 3.4.1.15) allows a database user holding the 'create udf' privilege to upload a malicious shared library, register it as a user-defined function (e.g. named 'eval'), and execute attacker-controlled native C code on the server by invoking that function through ordinary SQL queries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated TDengine account that holds the 'create udf' privilege - this is the exact, concrete prerequisite named in the advisory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2 High) is internally consistent with the description: the attack is delivered over the network via SQL queries (AV:N), is low-complexity (AC:L), requires no user interaction (UI:N), yields full C/I/A impact, but demands a high-privilege account holding 'create udf' (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained (or been legitimately granted) a TDengine account with the 'create udf' privilege compiles a malicious C shared library containing arbitrary payload code, uploads it, and registers it as a user-defined function such as 'eval'. They then run a normal SQL query that invokes the function, causing their native code to execute inside the TDengine server process with that process's privileges. … |
| Remediation | Upgrade to TDengine 3.4.1.15 or later, which remediates the issue - Vendor-released patch: 3.4.1.15 (per GHSA-f7wh-p233-87xv, https://github.com/taosdata/TDengine/security/advisories/GHSA-f7wh-p233-87xv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all TDengine deployments and document which versions are currently in production, with priority given to systems storing sensitive business data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44766