Iotdb Apache Iotdb

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Apache Iotdb.

By the Year

In 2026 there have been 15 vulnerabilities in Apache Iotdb with an average score of 8.6 out of ten. Last year, in 2025 Iotdb had 5 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.09.




Year Vulnerabilities Average Score
2026 15 8.63
2025 5 7.53
2024 1 9.80
2023 5 9.14
2022 3 7.93
2021 0 0.00
2020 2 8.65

It may take a day or so for new Iotdb vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Iotdb Security Vulnerabilities

Apache IoTDB C++ Client OOB Read before 1.3.8 & 2.0.10
CVE-2026-40454 7.5 - High - July 10, 2026

Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Out-of-bounds reads in IoTDB C++ client TsBlock deserializer crash client process on malformed server data. This issue affects Apache IoTDB C++ client: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Out-of-bounds Read

Apache IoTDB 1.3.5-1.3.7 / 2.0.5-2.0.9 Improper Auth: /rest/v2/fastLastQuery
CVE-2026-40452 7.5 - High - July 10, 2026

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

AuthZ

Apache IoTDB Privilege Escalation via __internal_auditor Rename (pre-2.0.10)
CVE-2026-40009 6.5 - Medium - July 10, 2026

Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Improper Privilege Management

Apache IoTDB 1.0.0-<2.0.10 Unsafe Reflection via Class.forName()
CVE-2026-40008 9.8 - Critical - July 10, 2026

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Reflection Injection

Apache IoTDB Uncontrolled Recursion in AirGap Receiver (before 2.0.10)
CVE-2026-40007 7.5 - High - July 10, 2026

Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticated attacker can send a stream of repeated E-language prefixes that drives the recursion arbitrarily deep, exhausting the receiver thread's JVM stack and raising StackOverflowError. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Stack Exhaustion

Apache IoTDB 1.x-2.0.9 AirGap Pipe Auth Bypass & OOM via readLength
CVE-2026-40006 7.5 - High - July 10, 2026

Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver accepts raw TCP connections on port 9780 with no authentication. The readLength method reads an attacker-controlled 32-bit integer from the socket and readData passes it directly to new byte[length] with no upper-bound check. An unauthenticated attacker can cause the JVM to attempt an allocation of up to 2,147,483,647 bytes per connection, exhausting heap memory and crashing or severely degrading the DataNode process. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Stack Exhaustion

Apache IoTDB Path Traversal CVE-2026-40005 (1.0.0<2.0.10)
CVE-2026-40005 9.1 - Critical - July 10, 2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Directory traversal

Apache IoTDB Session Expiration Auth Bypass CVE-2026-28564
CVE-2026-28564 9.8 - Critical - July 10, 2026

Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Insufficient Session Expiration

Apache IoTDB Auth Bypass via Forged SessionId (pre2.0.8)
CVE-2026-24013 9.1 - Critical - July 06, 2026

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Authentication Bypass by Spoofing

Uncontrolled Resource Consumption in Apache IoTDB 1.3.3<2.0.8
CVE-2026-24012 7.5 - High - July 06, 2026

Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Resource Exhaustion

Apache IoTDB <2.0.8 Trigger JAR RPC path traversal file write
CVE-2026-24014 9.8 - Critical - July 06, 2026

Apache IoTDB DataNodes internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Authorization

IoTDB Path Traversal CVE-2025-64152 1.0.0-2.0.7 VULN (fixed 1.3.6/2.0.7)
CVE-2025-64152 9.1 - Critical - June 26, 2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.

Directory traversal

Apache IoTDB 2.0.02.0.5/1.0.01.3.5 Path Traversal in Restricted Directory
CVE-2025-55017 9.1 - Critical - June 26, 2026

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.

Directory traversal

Apache IoTDB Improper Input Validation (1.3.7/2.0.7 fixes)
CVE-2026-24713 9.8 - Critical - March 09, 2026

Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

Improper Input Validation

Apache IoTDB CVE-2026-24015: versions <=1.3.6 & <=2.0.6 vulnerable
CVE-2026-24015 9.8 - Critical - March 09, 2026

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

Binding to an Unrestricted IP Address

Apache IoTDB 1.3.31.3.4 & 2.0.1beta2.0.4 Vulnerability fixed in 2.0.5
CVE-2025-48392 7.5 - High - September 24, 2025

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

Resource Exhaustion

Deserialization Vulnerability in Apache IoTDB 1.0.02.0.5
CVE-2025-48459 5.3 - Medium - September 24, 2025

Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

Marshaling, Unmarshaling

Apache IoTDB JDBC: Log File Info Disclosure v0.10.0–1.3.3, 2.0.1-beta
CVE-2025-26795 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

Insertion of Sensitive Information into Log File

Apache IoTDB V0.10~2.0.1-beta: Sensitive Data Exposure in OpenIdAuthorizer
CVE-2025-26864 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Information Disclosure

Apache IoTDB RCE via Untrusted URI in UDF Registration (bef. 1.3.4)
CVE-2024-24780 9.8 - Critical - May 14, 2025

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.

Code Injection

Apache IoTDB RCE in v1.0.01.2.2 Fixed in 1.3.0
CVE-2023-46226 9.8 - Critical - January 15, 2024

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Deserialization Flaw in Apache IoTDB 0.13.00.13.4 (pre1.2.2)
CVE-2023-51656 9.8 - Critical - December 21, 2023

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.

Marshaling, Unmarshaling

Apache IoTDB iotdb-web-workbench 0.13.3 Incorrect Auth Vulnerability (before 0.13.4)
CVE-2023-30771 9.8 - Critical - April 17, 2023

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.

AuthZ

Apache IoTDB Grafana Conn Improper Auth v0.13.0-0.13.3
CVE-2023-24831 9.8 - Critical - April 17, 2023

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.

authentification

Apache IoTDB iotdb-web-workbench <=0.13.2 Incorrect Auth
CVE-2023-24829 8.8 - High - January 31, 2023

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.

AuthZ

Apache IoTDB iotdb-web-workbench Improper Auth before 0.13.3
CVE-2023-24830 7.5 - High - January 30, 2023

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.

authentification

Apache IoTDB 0.12.2-0.12.6/0.13.0-0.13.2: RegExp DoS on Java 8
CVE-2022-43766 7.5 - High - October 26, 2022

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.

Apache IoTDB 0.13.0 Session ID Attack Vulnerability
CVE-2022-38369 8.8 - High - September 05, 2022

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.

Session Fixation

Apache IoTDB grafana-connector 0.13.0 Auth Bypass Exposes DB Schema
CVE-2022-38370 7.5 - High - September 05, 2022

Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.

AuthZ

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly
CVE-2020-25649 7.5 - High - December 03, 2020

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

XXE

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2
CVE-2020-1952 9.8 - Critical - April 27, 2020

An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.

Improper Certificate Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Iotdb or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Iotdb
Product

subscribe