Apache IoTDB Auth Bypass via Forged SessionId (pre2.0.8)
CVE-2026-24013 Published on July 6, 2026
Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
Authentication Bypass by Spoofing vulnerability in Apache IoTDB.
Certain Thrift RPC query handlers lack strict validation of the sessionId
parameter. An attacker can construct requests with a forged sessionId and,
without performing openSession authentication, receive valid query results.
This allows authentication bypass and unauthorized reading of time-series
data.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Weakness Type
Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
Products Associated with CVE-2026-24013
Want to know whenever a new CVE is published for Apache Iotdb? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache IoTDB:- Version 1.3.3 and below 2.0.8 is affected.