Authentication Bypass by Spoofing vulnerability in Apache IoTDB.
Certain Thrift RPC query handlers lack strict validation of the sessionId
parameter. An attacker can construct requests with a forged sessionId and,
without performing openSession authentication, receive valid query results.
This allows authentication bypass and unauthorized reading of time-series
data.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Mon, 06 Jul 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apache
Apache iotdb |
|
| Vendors & Products |
Apache
Apache iotdb |
Mon, 06 Jul 2026 09:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue. | |
| Title | Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC | |
| Weaknesses | CWE-290 | |
| References |
|
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-06T08:38:54.778Z
Reserved: 2026-01-20T02:32:08.414Z
Link: CVE-2026-24013
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T11:15:03Z