CVE-2026-24013 PUBLISHED

Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC

Assigner: apache
Reserved: 20.01.2026 Published: 06.07.2026 Updated: 06.07.2026

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This allows authentication bypass and unauthorized reading of time-series data.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache IoTDB
Versions Default: unaffected
  • affected from 1.3.3 to 2.0.8 (excl.)

Credits

  • Yan Nan (Detecon Security Lab) finder

References

Problem Types

  • CWE-290 Authentication Bypass by Spoofing CWE