Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
The vulnerability results from insufficient validation of user-supplied input data (CWE-20) combined with the possibility of expression or instruction injection (CWE-917). An attacker can submit a specially crafted request to the Apache IoTDB server without requiring authentication, login, or victim-side interaction. The network vector (AV:N) and lack of prerequisites (PR:N, AC:L, UI:N) make this vulnerability particularly easy to exploit.
Successful exploitation of this vulnerability can lead to complete compromise of system confidentiality, integrity, and availability — attackers can gain unauthorized access to data, modify it, or cause service unavailability.
Apache IoTDB must be immediately updated to version 1.3.7 (for 1.x branch) or 2.0.7 (for 2.x branch), which contain a patch eliminating the vulnerability. Detailed information is available in the vendor references: https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p
Apache IoTDB versions from 1.0.0 to 1.3.6 (before 1.3.7) and from 2.0.0 to 2.0.6 (before 2.0.7).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Iotdb
APPApache1.0.0 – 1.3.7 (bez)2.0.0 – 2.0.7 (bez)
Related vulnerabilities
Krytyczna podatność w Apache IoTDB (CVE-2026-24015)
Apache IoTDB: RCE przez rejestrację złośliwej funkcji UDF z niezaufanego URI
RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia
Deserializacja niezaufanych danych w Apache IoTDB (RCE)
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...