- Product: Apache Software Foundation Apache IoTDB
- Vulnerabilities: 3 flaws (CVE-2026-24014, CVE-2026-24012, CVE-2026-24013)
- Highest severity: 9.8 (Critical · CVSSv3)
- Worst impact: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
- Status: No confirmed exploitation yet; patches available
- Action: Update to 2.0.8 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-24014 | 9.8 | CWE-284 | 2.0.8 | Not exploited |
| CVE-2026-24013 | 9.1 | CWE-290 | 2.0.8 | Not exploited |
| CVE-2026-24012 | 7.5 | CWE-400 | 2.0.8 | Not exploited |
TL;DR
Apache IoTDB has patched three flaws in its time-series database. The worst is a critical path traversal bug, CVE-2026-24014, scored 9.8. A second flaw allows an authentication bypass, and a third causes denial of service. Version 2.0.8 fixes all three.
Why it matters
Apache IoTDB stores sensor data for many industrial and IoT setups. Many plants run it at the edge and in the cloud. So a breach can expose or corrupt live data at scale. Two of these Apache IoTDB vulnerabilities rate critical. The path traversal flaw can let an attacker write files almost anywhere. From there, a planted file can turn into code execution. Meanwhile, the authentication bypass hands outsiders access to stored data. A single weak port can put the whole store at risk. Attackers prize such databases for the data they hold. Together, the three bugs threaten privacy, safety, and uptime.
How the attack works
Path traversal to file write (CVE-2026-24014)
The DataNode internal RPC creates Trigger jobs from an uploaded JAR. It builds a file path from that JAR name without enough checks. So an attacker can add traversal marks to escape the target folder. This allows a file write with the IoTDB process rights. The flaw scored 9.8, near the top of the scale. The danger appears when the internal RPC port faces an untrusted network. A crafted JAR name is all the request needs.
Auth bypass and denial of service
CVE-2026-24013 skips strict checks on the Thrift session ID. So an attacker forges a session and reads query results without any login. That bypass scored 9.1 and exposes private sensor data. CVE-2026-24012 accepts a query with extreme time ranges. That request builds a giant result set and drains the Java heap. The DataNode process then crashes under the load. One crafted request can knock a node offline.
Affected versions
All three Apache IoTDB vulnerabilities affect versions 1.3.3 up to 2.0.8. So older 1.3.x and 2.0.x builds all carry the flaws. The 2.0.8 release fixes every issue. Detecon Security Lab reported the path traversal flaw.
Exploitation status
So far, no public exploit or in-the-wild abuse has been confirmed.
Patch and mitigation
Upgrade to Apache IoTDB 2.0.8 as soon as you can. You can grab it from the official download page. Until you patch, keep DataNode RPC ports off untrusted networks. Also guard the database behind firewall rules and network limits. Test the update in staging before you roll it out. Also review logs for odd Trigger uploads after you patch.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.