CVE-2026-24015
Apache IoTDB: Insecure Default Configuration Vulnerability
In short
Apache IoTDB comes with unsafe default settings that allow attackers to access or control the database without proper authentication. This is critical because the database may contain sensitive data that needs protection.
Technical detail
IoTDB versions 1.0.0–1.3.6 and 2.0.0–2.0.6 contain insecure default configuration (CWE-1327) enabling unauthenticated or unauthorized access. The vulnerability affects database instances deployed with default settings; exploitation requires network access to the affected service. Successful exploitation compromises data confidentiality and integrity.
Summary generated and translated by AI from the official description.
A vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.
Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache IoTDBWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →