Apache Doris security advisories

Security information for Apache Doris

Reporting

Do you want disclose a potential security issue for Apache Doris? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

SQL injection leading the authentication bypass

CVE-2025-66336 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-22T06:55:16.362Z

Affected

  • Apache Doris MCP Server from 0.1.0 before 0.6.1

Description

Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller’s authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope.

Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.

References

Credits

  • cherno.x. (reporter)

MCP SQL inject

CVE-2025-66335 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-17T09:41:43.983Z

Affected

  • Apache Doris MCP Server from 0.1.0 before 0.6.1

Description

Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.

References

Credits

  • Tomer Peled, Senior Security Researcher at Akamai (reporter)

Improper Access Control results in bypassing a “read-only” mode for doris-mcp-server MCP Server

CVE-2025-58337 [CVE] [CVE json] [OSV json]

Last updated: 2025-11-05T09:26:34.887Z

Affected

  • Apache Doris-MCP-Server from 0.1.0 before 0.6.0

Description

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions.

Impact:
Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications.

Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).


References

Credits

allows admin users to read arbitrary files through the REST API

CVE-2024-48019 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-04T18:19:49.957Z

Affected

  • Apache Doris from 2.1.0 before 2.1.8
  • Apache Doris from 3.0.0 before 3.0.3

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris.

Application administrators can read arbitrary files from the server filesystem through path traversal.

Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.

References

Credits

  • Man Yue Mo of the GitHub Security Lab team (finder)

Downloading arbitrary remote jar files resulting in remote command execution

CVE-2024-27438 [CVE] [CVE json] [OSV json]

Last updated: 2024-03-21T09:39:20.599Z

Affected

  • Apache Doris from 1.2.0 through 2.0.4

Description

Download of Code Without Integrity Check vulnerability in Apache Doris.
The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution.
Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check.

This issue affects Apache Doris: from 1.2.0 through 2.0.4.

Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.

References

Possible race condition

CVE-2024-26307 [CVE] [CVE json] [OSV json]

Last updated: 2024-03-21T09:38:16.580Z

Affected

  • Apache Doris before 1.2.8
  • Apache Doris before 2.0.4

Description

Possible race condition vulnerability in Apache Doris.
Some of code using chmod() method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file.
This could theoretically happen, but the impact would be minimal.

This issue affects Apache Doris: before 1.2.8, before 2.0.4.

Users are recommended to upgrade to version 2.0.4, which fixes the issue.

References

Missing API authentication allowed DoS

CVE-2023-41314 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-18T08:27:49.193Z

Affected

  • Apache Doris from 1.2.0 through 2.0.3

Description

The api /api/snapshot and /api/get_log_file would allow unauthenticated access.
It could allow a DoS attack or get arbitrary files from FE node.
Please upgrade to 2.0.3 to fix these issues.

References

Timing Attack weakness

CVE-2023-41313 [CVE] [CVE json] [OSV json]

Last updated: 2024-03-12T10:16:14.512Z

Affected

  • Apache Doris before 1.2.8

Description

The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks.
Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue.

References

Credits

  • Andrea Cosentino from Apache Software Foundation (reporter)

Apache Doris hardcoded cryptography initialization

CVE-2022-23942 [CVE] [CVE json] [OSV json]

Last updated: 2022-04-26T14:49:46.143Z

Affected

  • Apache Doris(Incubating) at 0.15.0

Description

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.

References

Credits

  • We would like to thanks to Dwi Siswantome@dw1.io for the report of this issue