Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Authenticated network access required (PR:L, AV:N); UDF creation yields limited but real integrity and confidentiality impact within unchanged scope.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, a Data Reader admin_user on a TDengine Cloud DB instance could run create udf even though standard users should have read-only permissions for non-database objects and show dnodes and create user were denied. This issue is fixed in version 3.4.1.15.
AnalysisAI
Improper privilege management in TDengine Cloud DB prior to 3.4.1.15 allows an authenticated Data Reader admin_user to execute create udf (user-defined function) commands that should be restricted to higher-privilege roles. While the same role is correctly denied show dnodes and create user, the UDF creation permission was left ungated, creating a privilege escalation path within the database engine. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Data Reader admin_user account on a TDengine Cloud DB instance running a version prior to 3.4.1.15. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N accurately reflects the bounded risk: exploitation requires authenticated low-privilege access (PR:L), limiting the attacker pool to existing Data Reader credential holders. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Data Reader credentials for a TDengine Cloud DB instance - whether through phishing, credential stuffing, or insider access - connects to the database over the network and issues a `create udf` statement to load a custom function. Because the ACL check is absent for this command in the affected versions, the command succeeds despite the read-only role, allowing the attacker to introduce a UDF that may manipulate query results or access data outside their intended scope. … |
| Remediation | Upgrade TDengine to version 3.4.1.15 or later, which resolves the missing ACL check on the `create udf` command for Data Reader admin_user accounts. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44764