ГлавнаяУязвимости → CVE-2026-24013
9.1критическая

CVE-2026-24013

Описание

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Затрагиваемое ПО
Apache Iotdb
CVSS
Балл9.1 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Источники
https://lists.apache.org/thread/6pwkgnqhbm56mvn309f87snm84s0b75yhttp://www.openwall.com/lists/oss-security/2026/07/06/11