CVE-2026-24013: Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requ
Authentication Bypass by Spoofing vulnerability in Apache IoTDB.
Certain Thrift RPC query handlers lack strict validation of the sessionId
parameter. An attacker can construct requests with a forged sessionId and,
without performing openSession authentication, receive valid query results.
This allows authentication bypass and unauthorized reading of time-series
data.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-24013
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-240130.47% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 38% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-24013 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Authentication Bypass by
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-14262: The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulner…nvd · 2026-07-11
- criticalCVE-2026-57807: Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security …nvd · 2026-07-10
- criticalCVE-2026-12761: The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordP…nvd · 2026-07-10
- criticalGHSA-xqp3-jq6g-x3qm: File Browser: Authentication Bypass via Proxy Auth Header Forgeryghsa · 2026-07-10
- highCVE-2026-56305: Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change e…nvd · 2026-07-10
- highCVE-2026-22659: FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11