TL;DR
Apache has fixed five security flaws in Apache IoTDB, an industrial IoT time-series database. The Apache Software Foundation rated all five as “important.” The bugs range from privilege escalation to an unauthenticated denial-of-service, and version 2.0.10 fixes every one.
- Total: 5 CVEs
- Severity: 3 Critical · 1 High · 1 Medium
- Actively exploited: None confirmed
- Highest severity: 9.8 (Critical · CVSSv3) — CVE-2026-40008
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-40008 | 9.8 | CWE-470 | 2.0.10 | Not exploited |
| CVE-2026-28564 | 9.8 | CWE-294 | 2.0.10 | Not exploited |
| CVE-2026-40005 | 9.1 | CWE-22 | 2.0.10 | Not exploited |
| CVE-2026-40006 | 7.5 | CWE-306 | 2.0.10 | Not exploited |
| CVE-2026-40009 | 6.5 | CWE-269 | 2.0.10 | Not exploited |
Why it matters
IoTDB stores sensor and telemetry data at scale. A breach can expose that data or take a node offline. Since IoTDB often sits inside industrial networks, downtime carries real cost. So these fixes deserve quick attention.
How the attacks work
Each flaw abuses a different weak spot. Together, they span access control, memory, and file handling.
Privilege escalation and unsafe reflection
CVE-2026-40009 lets an authenticated user gain full tree-path access. The trick is renaming the account to a reserved internal name. Separately, CVE-2026-40008 abuses unsafe reflection. The pipe processor instantiates any Java class it receives, with no allowlist.
DoS, path traversal, and stale credentials
CVE-2026-40006 is the most exposed issue. An unauthenticated attacker can send one crafted value to the AirGap pipe receiver. That forces a huge memory allocation and crashes the node. Meanwhile, CVE-2026-40005 allows path traversal, so an attacker can write files outside the intended folder. Finally, CVE-2026-28564 lets stale cached credentials pass REST Basic Authentication.
Affected versions
Four flaws affect Apache IoTDB from 1.0.0 up to 2.0.10. The privilege-escalation bug, CVE-2026-40009, affects 2.0.8 and 2.0.9. Version 2.0.10 resolves all five.
Patch and mitigation
Upgrade to Apache IoTDB 2.0.10 without delay. You can grab it from the official Apache IoTDB download page. If you cannot patch yet, disable the AirGap pipe receiver and restrict network access to trusted hosts. No public proof-of-concept or in-the-wild exploitation has been confirmed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.