CVE-2026-24013
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
06/07/2026
Última modificación:
06/07/2026
Descripción
*** Pendiente de traducción *** Authentication Bypass by Spoofing vulnerability in Apache IoTDB.<br />
Certain Thrift RPC query handlers lack strict validation of the sessionId<br />
parameter. An attacker can construct requests with a forged sessionId and,<br />
without performing openSession authentication, receive valid query results.<br />
This allows authentication bypass and unauthorized reading of time-series<br />
data.<br />
<br />
<br />
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.<br />
<br />
Users are recommended to upgrade to version 2.0.8, which fixes the issue.



