CVE-2026-24013
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/07/2026
Last modified:
06/07/2026
Description
Authentication Bypass by Spoofing vulnerability in Apache IoTDB.<br />
Certain Thrift RPC query handlers lack strict validation of the sessionId<br />
parameter. An attacker can construct requests with a forged sessionId and,<br />
without performing openSession authentication, receive valid query results.<br />
This allows authentication bypass and unauthorized reading of time-series<br />
data.<br />
<br />
<br />
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.<br />
<br />
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL



