Apache IoTDB <2.0.8 Trigger JAR RPC path traversal file write
CVE-2026-24014 Published on July 6, 2026
Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
Apache IoTDB DataNodes internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Weakness Types
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-24014 has been classified to as an Authorization vulnerability or weakness.
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2026-24014 has been classified to as an Unrestricted File Upload vulnerability or weakness.
Products Associated with CVE-2026-24014
Want to know whenever a new CVE is published for Apache Iotdb? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache IoTDB:- Version 1.3.3 and below 2.0.8 is affected.