CVE-2025-59390

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,<br /> which is not a crypto-graphically secure random number generator. This <br /> may allow an attacker to predict or brute force the secret used to sign <br /> authentication cookies, potentially enabling token forgery or <br /> authentication bypass. Additionally, each process generates its own <br /> fallback secret, resulting in inconsistent secrets across nodes. This <br /> causes authentication failures in distributed or multi-broker <br /> deployments, effectively leading to a incorrectly configured clusters. Users are <br /> advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`<br /> <br /> <br /> <br /> This issue affects Apache Druid: through 34.0.0.<br /> <br /> Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.