Apache IoTDB Auth Bypass via Forged SessionId (pre2.0.8)
CVE-2026-24013 Published on July 6, 2026

Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Vendor Advisory NVD

Weakness Type

Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.


Products Associated with CVE-2026-24013

Want to know whenever a new CVE is published for Apache Iotdb? stack.watch will email you.

 

Affected Versions

Apache Software Foundation Apache IoTDB: