Apache Pinot security advisories

Security information for Apache Pinot

Reporting

Do you want disclose a potential security issue for Apache Pinot? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Authentication bypass issue. If the path does not contain / and contain . authentication is not required

CVE-2024-56325 [CVE] [CVE json] [OSV json]

Last updated: 2026-02-20T16:45:37.070Z

Affected

  • Apache Pinot before 1.3

Description

Authentication Bypass Vulnerability in Apache Pinot (CVE-2024-56325)


Apache Pinot versions prior to 1.3.0 contain an authentication bypass vulnerability affecting REST endpoints in the Controller and Broker components.


Description


The vulnerability is caused by improper handling of HTTP request paths containing matrix parameters (;) combined with dot (.) characters. Under certain crafted path conditions (for example, /users;.), the request could be incorrectly classified as an unprotected resource. As a result, authentication checks were skipped.


This may allow an unauthenticated attacker to invoke protected administrative APIs if the Pinot Controller or Broker endpoints are accessible.


This issue is classified as:

  • CWE-288: Authentication Bypass Using an Alternate Path or Channel


Example


Expected behavior (authentication enforced):

curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"hack2","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}' \
  http://{server_ip}:9000/users

Response:

{"code":401,"error":"HTTP 401 Unauthorized"}

Crafted request triggering bypass (pre-1.3.0 only):

curl -X POST -H "Content-Type: application/json" \
  -d '{"username":"hack","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}' \
  http://{server_ip}:9000/users;.

In vulnerable versions, this request could bypass authentication and succeed.


Impact


If exploited, an unauthenticated attacker may gain administrative access, including the ability to create users and modify cluster configuration.


The vulnerability is only exploitable if:

  • Authentication is enabled, and

  • Controller or Broker APIs are reachable by the attacker.


Affected Versions

  • Apache Pinot versions earlier than 1.3.0


Fixed Version

  • Apache Pinot 1.3.0


The fix ensures matrix parameters are stripped from request paths before evaluating authentication requirements.


Users are strongly encouraged to upgrade to version 1.3.0 or later.

References

Credits

  • 75Acol at Huawei (finder)
  • fcgboy at Huawei (finder)
  • wk2025 at Huawei (finder)
  • leo at Huawei (finder)

Unauthorized endpoint exposed sensitive information

CVE-2024-39676 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-24T07:41:07.886Z

Affected

  • Apache Pinot from 0.1 before 1.0.0

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.

This issue affects Apache Pinot: from 0.1 before 1.0.0.

Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue.

Details: 

When using a request to path “/appconfigs” to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control, so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.


References

Credits

Pinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support

CVE-2022-26112 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-23T03:13:43.429Z

Affected

  • Apache Pinot from Apache Pinot through 0.10.0

Description

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0

References

Credits

Pinot segment push endpoint has a vulnerability in unprotected environments

CVE-2022-23974 [CVE] [CVE json] [OSV json]

Last updated: 2022-04-05T19:51:49.065Z

Affected

  • Apache Pinot from Apache Pinot through 0.9.3

Description

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service.

Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

References

Credits

  • Apache Pinot would like to thank bubblegumkk@qq.com, Kuiplatain@knownsec and FA1C0N@RPO_OFFICIAL for reporting the issue