CVE-2026-23906

Affected Products and Versions<br /> * Apache Druid<br /> * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)<br /> * Prerequisites: * druid-basic-security extension enabled<br /> * LDAP authenticator configured<br /> * Underlying LDAP server permits anonymous bind                                                                                                                                                   <br /> <br /> <br /> <br /> <br /> <br /> <br /> Vulnerability Description<br /> <br /> An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous<br /> binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.<br /> <br /> The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. <br /> <br /> Impact<br /> <br /> A remote, unauthenticated attacker can:<br /> * Gain unauthorized access to the Apache Druid cluster<br /> * Access sensitive data stored in Druid datasources<br /> * Execute queries and potentially manipulate data<br /> * Access administrative interfaces if the bypassed account has elevated privileges<br /> * Completely compromise the confidentiality, integrity, and availability of the Druid deployment                                                                                                                                                                                    <br /> <br /> <br /> Mitigation<br />  <br /> Immediate Mitigation (No Druid Upgrade Required):                                                                                                                                                   <br /> * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.<br /> <br /> <br /> <br /> Resolution<br /> * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.