CVE-2026-24013

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/07/2026
Last modified:
06/07/2026

Description

Authentication Bypass by Spoofing vulnerability in Apache IoTDB.<br /> Certain Thrift RPC query handlers lack strict validation of the sessionId<br /> parameter. An attacker can construct requests with a forged sessionId and,<br /> without performing openSession authentication, receive valid query results.<br /> This allows authentication bypass and unauthorized reading of time-series<br /> data.<br /> <br /> <br /> This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.<br /> <br /> Users are recommended to upgrade to version 2.0.8, which fixes the issue.