Skip to main content

Apache IoTDB EUVDEUVD-2026-42832

| CVE-2026-28564 CRITICAL
Insufficient Session Expiration (CWE-613)
2026-07-10 apache GHSA-xwqh-5v9q-g7v9
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote and unauthenticated in effect, but replay requires first capturing a credential that should be invalid, so AC:H; full C/I/A impact on the database stands.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 10, 2026 - 16:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 16:22 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 09:16 EUVD
Analysis Generated
Jul 10, 2026 - 08:28 vuln.today

DescriptionCVE.org

Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials

This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

AnalysisAI

Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Capture or retain valid REST credentials
Delivery
Reach network-exposed IoTDB REST endpoint
Exploit
Replay stale Basic Auth credential
Execution
Cache accepts revoked credential
Impact
Read and tamper time-series data

Vulnerability AssessmentAI

Exploitation Exploitation targets the Apache IoTDB REST interface specifically and requires the attacker to possess a credential the system should no longer honor - a captured/replayed Basic Auth credential, or one for an account whose password was changed or access revoked while a cached entry persists. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals conflict and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker harvests a valid Apache IoTDB REST Basic Auth credential - from a logged request, a proxy, or a former employee's saved credentials. Even after the operator changes or revokes that account, the attacker replays the captured credential against the REST API and is still granted access due to the stale credential cache, then reads and manipulates time-series data. …
Remediation Vendor-released patch: version 2.0.10 - upgrade every Apache IoTDB instance running any 1.0.0-through-2.0.9 build to 2.0.10 or later, per the Apache advisory (https://lists.apache.org/thread/l38wpy7flvvfwv4rkps87l5z8gprnfy0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Apache IoTDB 1.0.0-2.0.9. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40008 CRITICAL
9.8 Jul 10

Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and in

CVE-2026-24014 CRITICAL
9.8 Jul 06

Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can re

CVE-2026-40005 CRITICAL
9.1 Jul 10

Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB

CVE-2026-40006 HIGH
7.5 Jul 10

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the

CVE-2026-24012 HIGH
7.5 Jul 06

Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submi

CVE-2026-40452 HIGH
7.5 Jul 10

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access las

CVE-2026-40007 HIGH
7.5 Jul 10

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attack

CVE-2026-24013 CRITICAL
9.1 Jul 06

Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauth

CVE-2026-40009 MEDIUM
6.5 Jul 10

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own

CVE-2025-64152 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write fil

CVE-2025-55017 CRITICAL
9.1 Jun 26

Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference fi

Share

EUVD-2026-42832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy