CRITICAL🇵🇱 Wersja polska

CVE-2026-24713

CVSS 9.8v3.1pub. 2026-03-09upd. 2026-03-10

Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from insufficient validation of user-supplied input data (CWE-20) combined with the possibility of expression or instruction injection (CWE-917). An attacker can submit a specially crafted request to the Apache IoTDB server without requiring authentication, login, or victim-side interaction. The network vector (AV:N) and lack of prerequisites (PR:N, AC:L, UI:N) make this vulnerability particularly easy to exploit.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of system confidentiality, integrity, and availability — attackers can gain unauthorized access to data, modify it, or cause service unavailability.

Mitigation & patch

Apache IoTDB must be immediately updated to version 1.3.7 (for 1.x branch) or 2.0.7 (for 2.x branch), which contain a patch eliminating the vulnerability. Detailed information is available in the vendor references: https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p

Who is affected

Apache IoTDB versions from 1.0.0 to 1.3.6 (before 1.3.7) and from 2.0.0 to 2.0.6 (before 2.0.7).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Iotdb

    APP
    Apache
    1.0.0 – 1.3.7 (bez)2.0.0 – 2.0.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-24015CRITICAL9.8PL ✓ten sam produkt

Krytyczna podatność w Apache IoTDB (CVE-2026-24015)

CVE-2024-24780CRITICAL9.8PL ✓ten sam produkt

Apache IoTDB: RCE przez rejestrację złośliwej funkcji UDF z niezaufanego URI

CVE-2023-46226CRITICAL9.8PL ✓ten sam produkt

RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia

CVE-2023-51656CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Apache IoTDB (RCE)

CVE-2023-24831CRITICAL9.8ten sam produkt

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...