Executive Summary
A critical authentication bypass vulnerability (CVE-2026-24013) has been disclosed in Apache IoTDB, a widely deployed time-series database platform for IoT workloads. The flaw resides in certain Thrift RPC query handlers that fail to strictly validate the sessionId parameter, allowing unauthenticated attackers to forge session identifiers and receive valid query responses without completing the openSession authentication flow.
CVSS Score: 9.1 (Critical)
The vulnerability was reported by Yan Nan of Detecon Security Lab and was published on 2026-07-06 alongside a related batch of IoTDB advisories. A patch is available in Apache IoTDB 2.0.8.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-24013 |
| CVSS Score | 9.1 (Critical) |
| Type | Authentication Bypass by Spoofing |
| CWE | CWE-290 — Authentication Bypass by Spoofing |
| Attack Vector | Network |
| Authentication Required | None |
| User Interaction | None |
| Reporter | Yan Nan — Detecon Security Lab |
| Published | 2026-07-06 |
Affected Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| Apache IoTDB | >= 1.3.3 and < 2.0.8 | 2.0.8 |
Technical Analysis
Apache IoTDB exposes a Thrift RPC interface (default port 6667) for client queries and data operations. The standard authentication flow requires clients to call openSession with valid credentials before submitting queries.
The vulnerability affects specific Thrift RPC query handlers that accept a sessionId parameter but do not verify that the session was legitimately established through openSession. An attacker can:
1. Connect to the Thrift RPC port (default TCP 6667)
2. Craft a request with an arbitrary (forged) sessionId value
3. Submit a query without calling openSession or providing credentials
4. Receive valid query results — IoTDB processes the request as authenticatedImpact
| Impact Area | Description |
|---|---|
| Data Exposure | Unauthorized read access to time-series sensor and IoT data |
| Authentication Bypass | Full bypass of the openSession credential check |
| No Credentials Required | Attack requires only network access to the Thrift RPC port |
| Confidentiality | High — all data accessible to the session query handlers |
Remediation
Step 1: Upgrade to Apache IoTDB 2.0.8
The primary fix is upgrading to version 2.0.8, which adds strict server-side session validation to the affected Thrift RPC handlers.
# Check current IoTDB version
./start-cli.sh -h 127.0.0.1 -p 6667 -u root
show version
# Download 2.0.8 from the Apache IoTDB releases page
# https://iotdb.apache.org/Download/Step 2: Firewall the Thrift RPC Port (Immediate Workaround)
If immediate upgrade is not possible, restrict access to the Thrift RPC port:
# Block external access to the default IoTDB Thrift RPC port
iptables -A INPUT -p tcp --dport 6667 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j DROP
# Or using firewalld
firewall-cmd --permanent --zone=public --remove-port=6667/tcp
firewall-cmd --reloadStep 3: Audit Access Logs
Review IoTDB query logs for requests that did not follow the openSession → query → closeSession pattern:
# Look for query operations without corresponding session open events
grep -E "(query|execute)" /var/log/iotdb/log_info*.log | \
awk '{print $1, $2, $5}' | sort | uniq -cDetection Indicators
| Indicator | Description |
|---|---|
| Queries without preceding openSession | Potential exploitation attempts |
| Unexpected session IDs in logs | Forged session identifiers |
| Thrift RPC port accessible from internet | High risk exposure |
| Unauthenticated data reads | Successful bypass |
Post-Remediation Steps
- Upgrade to Apache IoTDB 2.0.8 or later
- Restrict Thrift RPC port access via firewall — never expose to the internet
- Enable authentication on all IoTDB nodes (verify config:
rpc_thrift_compression_enable) - Audit time-series data for unauthorized access during the exposure window
- Monitor IoTDB logs for anomalous query patterns
- Review all related CVEs from the same advisory batch (CVE-2026-24012, CVE-2026-24014)
Related Advisory (Same Patch Batch)
This CVE was disclosed alongside CVE-2026-24014 (path traversal in the DataNode Trigger JAR upload interface, CVSS 9.8) — also fixed in Apache IoTDB 2.0.8. Organizations running IoTDB should treat both as a single upgrade event.