Apache Doris security advisories
Security information for Apache Doris
Reporting
Do you want disclose a potential security issue for Apache Doris? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
SQL injection leading the authentication bypass
CVE-2025-66336 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-22T06:55:16.362Z
Affected
- Apache Doris MCP Server from 0.1.0 before 0.6.1
Description
Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller’s authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope.
Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.
References
Credits
- cherno.x. (reporter)
MCP SQL inject
CVE-2025-66335 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-17T09:41:43.983Z
Affected
- Apache Doris MCP Server from 0.1.0 before 0.6.1
Description
References
Credits
- Tomer Peled, Senior Security Researcher at Akamai (reporter)
Improper Access Control results in bypassing a “read-only” mode for doris-mcp-server MCP Server
CVE-2025-58337 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-05T09:26:34.887Z
Affected
- Apache Doris-MCP-Server from 0.1.0 before 0.6.0
Description
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions.
Impact:
Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications.
Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).
References
Credits
- Liran Tal, (liran@lirantal.com) (finder)
allows admin users to read arbitrary files through the REST API
CVE-2024-48019 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-04T18:19:49.957Z
Affected
- Apache Doris from 2.1.0 before 2.1.8
- Apache Doris from 3.0.0 before 3.0.3
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris.
Application administrators can read arbitrary
files from the server filesystem through path traversal.
Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue.
References
Credits
- Man Yue Mo of the GitHub Security Lab team (finder)
Downloading arbitrary remote jar files resulting in remote command execution
CVE-2024-27438 [CVE] [CVE json] [OSV json]
Last updated: 2024-03-21T09:39:20.599Z
Affected
- Apache Doris from 1.2.0 through 2.0.4
Description
Download of Code Without Integrity Check vulnerability in Apache Doris.
The jdbc driver files used for JDBC catalog is not checked and may resulting in remote command execution.
Once the attacker is authorized to create a JDBC catalog, he/she can use arbitrary driver jar file with unchecked code snippet. This code snippet will be run when catalog is initializing without any check.
This issue affects Apache Doris: from 1.2.0 through 2.0.4.
Users are recommended to upgrade to version 2.0.5 or 2.1.x, which fixes the issue.
References
Possible race condition
CVE-2024-26307 [CVE] [CVE json] [OSV json]
Last updated: 2024-03-21T09:38:16.580Z
Affected
- Apache Doris before 1.2.8
- Apache Doris before 2.0.4
Description
Possible race condition vulnerability in Apache Doris.
Some of code using chmod() method. This method run the risk of someone renaming the file out from under user and chmodding the wrong file.
This could theoretically happen, but the impact would be minimal.
This issue affects Apache Doris: before 1.2.8, before 2.0.4.
Users are recommended to upgrade to version 2.0.4, which fixes the issue.
References
Missing API authentication allowed DoS
CVE-2023-41314 [CVE] [CVE json] [OSV json]
Last updated: 2023-12-18T08:27:49.193Z
Affected
- Apache Doris from 1.2.0 through 2.0.3
Description
The api /api/snapshot and /api/get_log_file would allow unauthenticated access.
It could allow a DoS attack or get arbitrary files from FE node.
Please upgrade to 2.0.3 to fix these issues.
References
Timing Attack weakness
CVE-2023-41313 [CVE] [CVE json] [OSV json]
Last updated: 2024-03-12T10:16:14.512Z
Affected
- Apache Doris before 1.2.8
Description
The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks.
Users are recommended to upgrade to version 2.0.0 + or 1.2.8, which fixes this issue.
References
Credits
- Andrea Cosentino from Apache Software Foundation (reporter)
Apache Doris hardcoded cryptography initialization
CVE-2022-23942 [CVE] [CVE json] [OSV json]
Last updated: 2022-04-26T14:49:46.143Z
Affected
- Apache Doris(Incubating) at 0.15.0
Description
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.
References
Credits
- We would like to thanks to Dwi Siswantome@dw1.io for the report of this issue