Apache IoTDB security advisories

Security information for Apache IoTDB

Reporting

Do you want disclose a potential security issue for Apache IoTDB? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

JEXL Expression Injection Vulnerability

CVE-2026-24713 [CVE] [CVE json] [OSV json]

Last updated: 2026-03-09T08:59:57.653Z

Affected

  • Apache IoTDB from 1.0.0 before 1.3.7
  • Apache IoTDB from 2.0.0 before 2.0.7

Description

Improper Input Validation vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

References

Credits

  • Yongzhi Liu of Tencent YunDing Security Lab (finder)

Insecure Default Configuration Vulnerability

CVE-2026-24015 [CVE] [CVE json] [OSV json]

Last updated: 2026-03-09T08:57:43.961Z

Affected

  • Apache IoTDB from 1.0.0 before 1.3.7
  • Apache IoTDB from 2.0.0 before 2.0.7

Description

A vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

References

Credits

  • Mapta / BugBunny_ai (finder)

Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write

CVE-2026-24014 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-06T08:34:23.903Z

Affected

  • Apache IoTDB from 1.3.3 before 2.0.8

Description

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.

References

Credits

  • Yan Nan (Detecon Security Lab). (finder)

Authentication Bypass via Forged SessionID in Thrift RPC

CVE-2026-24013 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-06T07:17:46.194Z

Affected

  • Apache IoTDB from 1.3.3 before 2.0.8

Description

Authentication Bypass by Spoofing vulnerability in Apache IoTDB.
Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.

References

Credits

  • Yan Nan (Detecon Security Lab) (finder)

Denial of Service via Resource Exhaustion in Aggregation Query

CVE-2026-24012 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-06T07:19:25.470Z

Affected

  • Apache IoTDB from 1.3.3 before 2.0.8

Description

Uncontrolled Resource Consumption vulnerability in Apache IoTDB. 

Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.

References

Credits

  • Yan Nan (Detecon Security Lab) (finder)

Path Traversal Vulnerability

CVE-2025-64152 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-26T12:16:26.834Z

Affected

  • Apache IoTDB from 1.0.0 before 1.3.6
  • Apache IoTDB from 2.0.0 before 2.0.7

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.

References

Credits

  • Yan Nan (Detecon Security Lab) (finder)

Path Traversal Vulnerability

CVE-2025-55017 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-26T12:15:51.835Z

Affected

  • Apache IoTDB from 2.0.0 before 2.0.6
  • Apache IoTDB from 1.0.0 before 1.3.6

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6.

Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.

References

Credits

  • qx (finder)

Deserialization of untrusted Data

CVE-2025-48459 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-24T07:57:20.978Z

Affected

  • Apache IoTDB from 1.0.0 before 2.0.5

Description

Deserialization of Untrusted Data vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 2.0.5.

Users are recommended to upgrade to version 2.0.5, which fixes the issue.

References

Credits

  • Sanny (finder)
  • 75Acol (finder)
  • stan fang (finder)
  • Wu Jiang (finder)

DoS Vulnerability

CVE-2025-48392 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-24T07:59:48.976Z

Affected

  • Apache IoTDB from 1.3.3 through 1.3.4
  • Apache IoTDB from 2.0.1-beta through 2.0.4

Description

A vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.

Users are recommended to upgrade to version 2.0.5, which fixes the issue.

References

Credits

  • yyjLF (finder)

Exposure of Sensitive Information in IoTDB OpenID Authentication

CVE-2025-26864 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-14T10:44:11.661Z

Affected

  • Apache IoTDB from 0.10.0 through 1.3.3
  • Apache IoTDB from 2.0.1-beta before 2.0.2

Description

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.

This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.

Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

References

Credits

  • Kyler Katz (finder)

Exposure of Sensitive Information in IoTDB JDBC driver

CVE-2025-26795 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-14T10:43:01.849Z

Affected

  • Apache IoTDB JDBC driver from 0.10.0 through 1.3.3
  • Apache IoTDB JDBC driver from 2.0.1-beta before 2.0.2

Description

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.

This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.

Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

References

Credits

  • Kyler Katz (finder)

SSRF Vulnerability (EOL)

CVE-2024-36448 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-05T09:53:35.819Z

Affected

  • Apache IoTDB Workbench from 0.13.0 through *

Description

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench.

This issue affects Apache IoTDB Workbench: from 0.13.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

Credits

  • L0ne1y (finder)

Remote Code Execution with untrusted URI of User-defined function

CVE-2024-24780 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-14T10:42:18.799Z

Affected

  • Apache IoTDB from 1.0.0 before 1.3.4

Description

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.

Users are recommended to upgrade to version 1.3.4, which fixes the issue.

References

Credits

  • Y4 tacker (finder)
  • Nbxiglk (finder)

Unsafe deserialize map in Sync Tool

CVE-2023-51656 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-21T11:47:55.799Z

Affected

  • Apache IoTDB from 0.13.0 through 0.13.4

Description

Deserialization of Untrusted Data vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 0.13.0 through 0.13.4.

Users are recommended to upgrade to version 1.2.2, which fixes the issue.

References

Remote Code Execution (RCE) risk via the UDF

CVE-2023-46226 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-15T10:36:23.883Z

Affected

  • Apache IoTDB from 1.0.0 through 1.2.2

Description

Remote Code Execution vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.

Users are recommended to upgrade to version 1.3.0, which fixes the issue.

References

Credits

  • Glassy of EagleCloud (finder)

apache/iotdb-web-workbench: forge the JWTToken to access workbench

CVE-2023-30771 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-17T07:26:11.955Z

Affected

  • Apache IoTDB Workbench from 0.13.3 before 0.13.4

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.

This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.

This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.

References

Apache IoTDB grafana-connector Login Bypass Vulnerability

CVE-2023-24831 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-18T01:31:44.944Z

Affected

  • Apache IoTDB from 0.13.0 through 0.13.3

Description

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.

This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.

Attackers could login without authorization. This is fixed in 0.13.4.

References

apache/iotdb-web-workbench: create a user without authorization

CVE-2023-24830 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-08T16:15:22.623Z

Affected

  • Apache IoTDB Workbench from 0.13.0 before 0.13.3

Description

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.

This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.

References

apache/iotdb-web-workbench: forge the JWTToken to access workbench

CVE-2023-24829 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-08T16:15:02.969Z

Affected

  • Apache IoTDB Workbench from 0.13.0 before 0.13.3

Description

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.

This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.

This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.

References

Apache IoTDB prior to 0.13.3 allows DoS

CVE-2022-43766 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-26T16:04:23.572Z

Affected

  • Apache IoTDB from unspecified through 0.13.2

Description

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

References

Credits

  • This issue was discovered by 4ra1n of Chaitin Tech

No authorization of DatabaseConnectController in grafana-connector.

CVE-2022-38370 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-05T09:43:12.381Z

Affected

  • Apache IoTDB at 0.13.0

Description

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.

References

Login check vulnerability by session Id

CVE-2022-38369 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-05T09:42:50.630Z

Affected

  • Apache IoTDB at 0.13.0

Description

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.

References