CVE-2026-23906: Authentication Bypass Flaw Hits Apache Druid Analytics Clusters

The Apache Software Foundation has released a security update for Apache Druid, the high-performance real-time analytics database, to fix a glaring hole in its authentication logic. Tracked as CVE-2026-23906, this “Important” severity vulnerability allows attackers to log in to the system without a password, provided a specific LDAP configuration is in place.

For organizations using Druid to power real-time dashboards and handle massive datasets, this flaw turns a robust security gate into a revolving door.

The vulnerability lies in how the druid-basic-security extension handles LDAP authentication. Specifically, it mishandles “anonymous binds”—a feature in Lightweight Directory Access Protocol (LDAP) that allows connections without a password.

The advisory explains the failure simply: “If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password”.

In a secure system, an empty password should result in a rejection. However, vulnerable versions of Druid incorrectly interpret the LDAP server’s “anonymous bind success” message as proof that the user has successfully authenticated as the target account. This effectively treats “anonymous bind success as valid user authentication”.

The impact of this bypass is severe. An attacker doesn’t just get read-only access; they inherit the permissions of whichever user they impersonate.

“A remote, unauthenticated attacker can… Gain unauthorized access to the Apache Druid cluster,” the report warns.

Once inside, the attacker could access sensitive data stored in Druid datasources, execute queries to manipulate that data, or even “Access administrative interfaces if the bypassed account has elevated privileges”. In the worst-case scenario, this leads to a complete compromise of the deployment’s confidentiality and integrity.

This vulnerability affects a long history of Druid releases.

• Affected: Versions 0.17.0 through 35.x (all versions prior to 36.0.0).
• Prerequisites: The flaw is only exploitable if the druid-basic-security extension is enabled, an LDAP authenticator is configured, and the underlying LDAP server permits anonymous binds.

The Apache team has released Druid version 36.0.0 to address the issue. This version includes fixes to “properly reject anonymous LDAP bind attempts” regardless of the server configuration.

For administrators who cannot upgrade immediately, there is a simple workaround: “Disable anonymous bind on your LDAP server”. Turning off this feature at the directory level prevents the exploit from working, securing the cluster until a proper patch can be applied.

Related Posts:

• CVE-2025-27888: Apache Druid Flaw Opens Door to SSRF and XSS Risks in Real-Time Analytics Platforms
• Lucifer Botnet Exploits Apache Hadoop & Druid (CVE-2021-25646) for Cryptomining
• BIND Security Updates: Patch Your DNS Servers Now
• ISC Patches Multiple High-Severity BIND Vulnerabilities Enabling Cache Poisoning and Denial of Service Attacks
• Hacker group Anonymous controls over 400 Russian cameras