CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-24014

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-07-06
Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

⚡ Watch CVE-2026-24014

Get an email if CVE-2026-24014 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-24014

CVE.org record

Embed the live status

CVE-2026-24014 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-24014 status](https://www.csirts.com/badge/CVE-2026-24014)](https://www.csirts.com/cve/CVE-2026-24014)