Apache Druid security advisories
Security information for Apache Druid
Reporting
Do you want disclose a potential security issue for Apache Druid? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Authentication Bypass via LDAP Anonymous Bind
CVE-2026-23906 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-10T09:28:07.546Z
Affected
- Apache Druid from 0.17.0 before 36.0.0
Description
Affected Products and Versions
- Apache Druid
- Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)
- Prerequisites:
- druid-basic-security extension enabled
- LDAP authenticator configured
- Underlying LDAP server permits anonymous bind
Vulnerability Description
An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous
binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.
The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.
Impact
A remote, unauthenticated attacker can:
- Gain unauthorized access to the Apache Druid cluster
- Access sensitive data stored in Druid datasources
- Execute queries and potentially manipulate data
- Access administrative interfaces if the bypassed account has elevated privileges
- Completely compromise the confidentiality, integrity, and availability of the Druid deployment
Immediate Mitigation (No Druid Upgrade Required):
- Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.
Resolution
- Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
References
Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.
CVE-2025-59390 [CVE] [CVE json] [OSV json]
Last updated: 2025-12-11T12:56:31.790Z
Affected
- Apache Druid through 34.0.0
Description
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,
which is not a crypto-graphically secure random number generator. This
may allow an attacker to predict or brute force the secret used to sign
authentication cookies, potentially enabling token forgery or
authentication bypass. Additionally, each process generates its own
fallback secret, resulting in inconsistent secrets across nodes. This
causes authentication failures in distributed or multi-broker
deployments, effectively leading to a incorrectly configured clusters. Users are
advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`
This issue affects Apache Druid: through 34.0.0.
Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.
References
Credits
- Luke “Daeda1us” Smith (finder)
- 1nfocalypse (analyst)
Server-Side Request Forgery and Cross-Site Scripting
CVE-2025-27888 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-24T07:41:49.543Z
Affected
- Apache Druid before 31.0.2
- Apache Druid at 32.0.0
Description
Severity: medium (5.8) / important
Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.
This issue affects all previous Druid versions.
When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.
Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.
References
Credits
- XBOW (reporter)
Users can provide MySQL JDBC properties not on allow list
CVE-2024-45537 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-19T09:29:22.203Z
Affected
- Apache Druid through 30.0.0
Description
CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.
References
Credits
- L0ne1y (finder)
Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack
CVE-2024-45384 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-17T17:58:14.680Z
Affected
- Apache Druid from 0.18.0 through 30.0.0
Description
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.
This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0.
Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue
and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
References
Credits
- mr-n30 (reporter)
Clickjacking in the web console
CVE-2022-28889 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-07T18:30:27.570Z
Affected
- Apache Druid from unspecified through 0.22.1
Description
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
References
Reflected XSS on certain HTTP endpoints
CVE-2021-44791 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-07T18:29:34.319Z
Affected
- Apache Druid from Apache Druid through 0.22.1
Description
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
References
Credits
- This issue was discovered by DangKhai from Viettel Cyber Security
Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)
CVE-2021-36749 [CVE] [CVE json] [OSV json]
Last updated: 2021-09-23T23:08:21.915Z
Affected
- Apache Druid from 0.21.1 and earlier through 0.21.1
Description
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
References
Credits
- This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud.
- ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920.
Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended
CVE-2021-26920 [CVE] [CVE json] [OSV json]
Last updated: 2021-07-02T07:14:27.176Z
Affected
- Apache Druid from Apache Druid through 0.20.2
Description
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
References
Credits
- This issue was discovered by chybeta from the Security Team of Alibaba Cloud.
Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.
CVE-2021-26919 [CVE] [CVE json] [OSV json]
Last updated: 2021-03-30T07:47:52.941Z
Affected
- Apache Druid from Apache Druid through 0.20.1
Description
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2
References
Credits
- This issue was discovered by fantasyC4t from the Ant FG Security Lab.
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
CVE-2021-25646 [CVE] [CVE json] [OSV json]
Last updated: 2021-01-29T19:09:31.597Z
Affected
- Apache Druid from 0.20.0 and earlier through 0.20.0
Description
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
References
Credits
- This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.