Apache Iotdb
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Iotdb.
By the Year
In 2026 there have been 15 vulnerabilities in Apache Iotdb with an average score of 8.6 out of ten. Last year, in 2025 Iotdb had 5 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.09.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 15 | 8.63 |
| 2025 | 5 | 7.53 |
| 2024 | 1 | 9.80 |
| 2023 | 5 | 9.14 |
| 2022 | 3 | 7.93 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 8.65 |
It may take a day or so for new Iotdb vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Iotdb Security Vulnerabilities
Apache IoTDB C++ Client OOB Read before 1.3.8 & 2.0.10
CVE-2026-40454
7.5 - High
- July 10, 2026
Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Out-of-bounds reads in IoTDB C++ client TsBlock deserializer crash client process on malformed server data. This issue affects Apache IoTDB C++ client: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Out-of-bounds Read
Apache IoTDB 1.3.5-1.3.7 / 2.0.5-2.0.9 Improper Auth: /rest/v2/fastLastQuery
CVE-2026-40452
7.5 - High
- July 10, 2026
Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
AuthZ
Apache IoTDB Privilege Escalation via __internal_auditor Rename (pre-2.0.10)
CVE-2026-40009
6.5 - Medium
- July 10, 2026
Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Improper Privilege Management
Apache IoTDB 1.0.0-<2.0.10 Unsafe Reflection via Class.forName()
CVE-2026-40008
9.8 - Critical
- July 10, 2026
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Reflection Injection
Apache IoTDB Uncontrolled Recursion in AirGap Receiver (before 2.0.10)
CVE-2026-40007
7.5 - High
- July 10, 2026
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticated attacker can send a stream of repeated E-language prefixes that drives the recursion arbitrarily deep, exhausting the receiver thread's JVM stack and raising StackOverflowError. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Stack Exhaustion
Apache IoTDB 1.x-2.0.9 AirGap Pipe Auth Bypass & OOM via readLength
CVE-2026-40006
7.5 - High
- July 10, 2026
Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function vulnerability in Apache IoTDB. When pipe_air_gap_receiver_enabled=true, the IoTDB AirGap pipe receiver accepts raw TCP connections on port 9780 with no authentication. The readLength method reads an attacker-controlled 32-bit integer from the socket and readData passes it directly to new byte[length] with no upper-bound check. An unauthenticated attacker can cause the JVM to attempt an allocation of up to 2,147,483,647 bytes per connection, exhausting heap memory and crashing or severely degrading the DataNode process. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Stack Exhaustion
Apache IoTDB Path Traversal CVE-2026-40005 (1.0.0<2.0.10)
CVE-2026-40005
9.1 - Critical
- July 10, 2026
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Directory traversal
Apache IoTDB Session Expiration Auth Bypass CVE-2026-28564
CVE-2026-28564
9.8 - Critical
- July 10, 2026
Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Insufficient Session Expiration
Apache IoTDB Auth Bypass via Forged SessionId (pre2.0.8)
CVE-2026-24013
9.1 - Critical
- July 06, 2026
Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Authentication Bypass by Spoofing
Uncontrolled Resource Consumption in Apache IoTDB 1.3.3<2.0.8
CVE-2026-24012
7.5 - High
- July 06, 2026
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Resource Exhaustion
Apache IoTDB <2.0.8 Trigger JAR RPC path traversal file write
CVE-2026-24014
9.8 - Critical
- July 06, 2026
Apache IoTDB DataNodes internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Authorization
IoTDB Path Traversal CVE-2025-64152 1.0.0-2.0.7 VULN (fixed 1.3.6/2.0.7)
CVE-2025-64152
9.1 - Critical
- June 26, 2026
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.
Directory traversal
Apache IoTDB 2.0.02.0.5/1.0.01.3.5 Path Traversal in Restricted Directory
CVE-2025-55017
9.1 - Critical
- June 26, 2026
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.
Directory traversal
Apache IoTDB Improper Input Validation (1.3.7/2.0.7 fixes)
CVE-2026-24713
9.8 - Critical
- March 09, 2026
Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
Improper Input Validation
Apache IoTDB CVE-2026-24015: versions <=1.3.6 & <=2.0.6 vulnerable
CVE-2026-24015
9.8 - Critical
- March 09, 2026
A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
Binding to an Unrestricted IP Address
Apache IoTDB 1.3.31.3.4 & 2.0.1beta2.0.4 Vulnerability fixed in 2.0.5
CVE-2025-48392
7.5 - High
- September 24, 2025
A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Resource Exhaustion
Deserialization Vulnerability in Apache IoTDB 1.0.02.0.5
CVE-2025-48459
5.3 - Medium
- September 24, 2025
Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.
Marshaling, Unmarshaling
Apache IoTDB JDBC: Log File Info Disclosure v0.10.0–1.3.3, 2.0.1-beta
CVE-2025-26795
- May 14, 2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.
Insertion of Sensitive Information into Log File
Apache IoTDB V0.10~2.0.1-beta: Sensitive Data Exposure in OpenIdAuthorizer
CVE-2025-26864
- May 14, 2025
Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.
Information Disclosure
Apache IoTDB RCE via Untrusted URI in UDF Registration (bef. 1.3.4)
CVE-2024-24780
9.8 - Critical
- May 14, 2025
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Code Injection
Apache IoTDB RCE in v1.0.01.2.2 Fixed in 1.3.0
CVE-2023-46226
9.8 - Critical
- January 15, 2024
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
Deserialization Flaw in Apache IoTDB 0.13.00.13.4 (pre1.2.2)
CVE-2023-51656
9.8 - Critical
- December 21, 2023
Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.
Marshaling, Unmarshaling
Apache IoTDB iotdb-web-workbench 0.13.3 Incorrect Auth Vulnerability (before 0.13.4)
CVE-2023-30771
9.8 - Critical
- April 17, 2023
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.4 of iotdb-web-workbench onwards.
AuthZ
Apache IoTDB Grafana Conn Improper Auth v0.13.0-0.13.3
CVE-2023-24831
9.8 - Critical
- April 17, 2023
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3. Attackers could login without authorization. This is fixed in 0.13.4.
authentification
Apache IoTDB iotdb-web-workbench <=0.13.2 Incorrect Auth
CVE-2023-24829
8.8 - High
- January 31, 2023
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.
AuthZ
Apache IoTDB iotdb-web-workbench Improper Auth before 0.13.3
CVE-2023-24830
7.5 - High
- January 30, 2023
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.
authentification
Apache IoTDB 0.12.2-0.12.6/0.13.0-0.13.2: RegExp DoS on Java 8
CVE-2022-43766
7.5 - High
- October 26, 2022
Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it.
Apache IoTDB 0.13.0 Session ID Attack Vulnerability
CVE-2022-38369
8.8 - High
- September 05, 2022
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.
Session Fixation
Apache IoTDB grafana-connector 0.13.0 Auth Bypass Exposes DB Schema
CVE-2022-38370
7.5 - High
- September 05, 2022
Apache IoTDB grafana-connector version 0.13.0 contains an interface without authorization, which may expose the internal structure of database. Users should upgrade to version 0.13.1 which addresses this issue.
AuthZ
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly
CVE-2020-25649
7.5 - High
- December 03, 2020
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
XXE
An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2
CVE-2020-1952
9.8 - Critical
- April 27, 2020
An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. When starting IoTDB, the JMX port 31999 is exposed with no certification.Then, clients could execute code remotely.
Improper Certificate Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Iotdb or by Apache? Click the Watch button to subscribe.