Apache Pinot
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Pinot.
By the Year
In 2025 there have been 0 vulnerabilities in Apache Pinot. Last year, in 2024 Pinot had 1 security vulnerability published. Right now, Pinot is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 1 | 7.50 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 8.65 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Pinot vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Pinot Security Vulnerabilities
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot
CVE-2024-39676
7.5 - High
- July 24, 2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details: When using a request to path /appconfigs to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zookeeper path). This issue was addressed by the Role-based Access Control https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control , so that /appConfigs` and all other APIs can be access controlled. Only authorized users have access to it. Note the user needs to add the admin role accordingly to the RBAC guide to control access to this endpoint, and in the future version of Pinot, a default admin role is planned to be added.
Information Disclosure
In 0.10.0 or older versions of Apache Pinot
CVE-2022-26112
9.8 - Critical
- September 23, 2022
In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables
CVE-2022-23974
7.5 - High
- April 05, 2022
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0
Stack Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Pinot or by Apache? Click the Watch button to subscribe.
