Apache Pinot security advisories
Security information for Apache Pinot
Reporting
Do you want disclose a potential security issue for Apache Pinot? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Authentication bypass issue. If the path does not contain / and contain . authentication is not required
CVE-2024-56325 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-20T16:45:37.070Z
Affected
- Apache Pinot before 1.3
Description
Authentication Bypass Vulnerability in Apache Pinot (CVE-2024-56325)
Apache Pinot versions prior to 1.3.0 contain an authentication bypass vulnerability affecting REST endpoints in the Controller and Broker components.
Description
The vulnerability is caused by improper handling of HTTP request paths containing matrix parameters (;) combined with dot (.) characters. Under certain crafted path conditions (for example, /users;.), the request could be incorrectly classified as an unprotected resource. As a result, authentication checks were skipped.
This may allow an unauthenticated attacker to invoke protected administrative APIs if the Pinot Controller or Broker endpoints are accessible.
This issue is classified as:
-
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Example
Expected behavior (authentication enforced):
curl -X POST -H "Content-Type: application/json" \
-d '{"username":"hack2","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}' \
http://{server_ip}:9000/users
Response:
{"code":401,"error":"HTTP 401 Unauthorized"}
Crafted request triggering bypass (pre-1.3.0 only):
curl -X POST -H "Content-Type: application/json" \
-d '{"username":"hack","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}' \
http://{server_ip}:9000/users;.
In vulnerable versions, this request could bypass authentication and succeed.
Impact
If exploited, an unauthenticated attacker may gain administrative access, including the ability to create users and modify cluster configuration.
The vulnerability is only exploitable if:
-
Authentication is enabled, and
-
Controller or Broker APIs are reachable by the attacker.
Affected Versions
-
Apache Pinot versions earlier than 1.3.0
Fixed Version
-
Apache Pinot 1.3.0
The fix ensures matrix parameters are stripped from request paths before evaluating authentication requirements.
References
Credits
- 75Acol at Huawei (finder)
- fcgboy at Huawei (finder)
- wk2025 at Huawei (finder)
- leo at Huawei (finder)
Unauthorized endpoint exposed sensitive information
CVE-2024-39676 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-24T07:41:07.886Z
Affected
- Apache Pinot from 0.1 before 1.0.0
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.
This issue affects Apache Pinot: from 0.1 before 1.0.0.
Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue.
Details:
When using a request to path “/appconfigs” to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control, so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.
References
Credits
- Xun Bai bbbbear68@gmail.com (finder)
Pinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support
CVE-2022-26112 [CVE] [CVE json] [OSV json]
Last updated: 2022-09-23T03:13:43.429Z
Affected
- Apache Pinot from Apache Pinot through 0.10.0
Description
In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0
References
Credits
- Apache Pinot would like to thank Haoruo Chen(chenhaoruo0128@gmail.com) for reporting the issue
Pinot segment push endpoint has a vulnerability in unprotected environments
CVE-2022-23974 [CVE] [CVE json] [OSV json]
Last updated: 2022-04-05T19:51:49.065Z
Affected
- Apache Pinot from Apache Pinot through 0.9.3
Description
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service.
Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0
References
Credits
- Apache Pinot would like to thank bubblegumkk@qq.com, Kuiplatain@knownsec and FA1C0N@RPO_OFFICIAL for reporting the issue