{"schema_version": "1.6.1", "id": "CVE-2026-24012", "summary": "Denial of Service via Resource Exhaustion in Aggregation Query", "details": "Uncontrolled Resource Consumption vulnerability in Apache IoTDB. \n\nSome interface fails to impose reasonable\nlimits on the time span and aggregation interval of the query. An attacker\ncan construct a request with extreme parameters (e.g., a very large time\nrange combined with a minimal interval). This forces the DataNode to build\nan enormous result set in memory, which exhausts the Java heap and causes\nthe DataNode process to crash.\n\nThis issue affects Apache IoTDB: from 1.3.3 before 2.0.8.\n\nUsers are recommended to upgrade to version 2.0.8, which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "1.3.3"}, {"fixed": "2.0.8"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8"}]}