Executive Summary
A critical path traversal vulnerability (CVE-2026-24014) has been disclosed in Apache IoTDB, affecting the internal DataNode RPC interface used to create Trigger instances. The flaw allows an attacker with network access to the internal DataNode RPC port to supply a maliciously crafted JAR file name containing path traversal sequences, causing IoTDB to write files to arbitrary locations on the host filesystem with the privileges of the IoTDB process.
CVSS Score: 9.8 (Critical)
The vulnerability was published on 2026-07-06 as part of the same advisory batch as CVE-2026-24013. A fix is available in Apache IoTDB 2.0.8.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-24014 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Type | Path Traversal / Arbitrary File Write |
| CWE | CWE-284 — Improper Access Control; CWE-434 — Unrestricted Upload of File with Dangerous Type |
| Attack Vector | Network (internal DataNode RPC port) |
| Privileges Required | None |
| User Interaction | None |
| Published | 2026-07-06 |
Affected Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| Apache IoTDB | 1.3.3 through 2.0.7 (inclusive) | 2.0.8 |
Technical Analysis
Apache IoTDB's DataNode RPC interface includes functionality for creating Trigger instances using uploaded JAR files. The interface accepts a JAR file name from the caller and uses it to construct a filesystem path for storing the uploaded file. The root cause is that this JAR file name is not validated for path traversal sequences before being incorporated into the file path.
Attack Flow
1. Attacker identifies an exposed internal DataNode RPC port
2. Attacker sends a CreateTrigger RPC call with a crafted JAR name:
e.g., "../../etc/cron.d/backdoor.jar"
or "../webroot/shell.jsp"
3. IoTDB constructs the file path without stripping traversal sequences
4. IoTDB writes the uploaded file to the traversal-resolved destination
5. Attacker achieves arbitrary file write with IoTDB process privilegesImpact Analysis
| Impact | Description |
|---|---|
| Arbitrary File Write | Write any file to any location IoTDB can access on the host |
| Code Execution | Write cron jobs, web shells, or config files that execute attacker code |
| Configuration Tampering | Overwrite system or application config files |
| Privilege Escalation | If IoTDB runs as root or privileged user, full system compromise |
| Confidentiality | High — file contents can be used to expose sensitive paths |
Remediation
Step 1: Upgrade to Apache IoTDB 2.0.8 (Required)
The only complete fix is upgrading to Apache IoTDB 2.0.8, which adds proper validation and sanitization of JAR file names in the DataNode Trigger creation RPC handler.
# Stop IoTDB services before upgrade
./stop-datanode.sh
./stop-confignode.sh
# Download and deploy Apache IoTDB 2.0.8
# https://iotdb.apache.org/Download/
# Verify version after upgrade
./start-cli.sh -h 127.0.0.1 -p 6667 -u root
show versionStep 2: Firewall the Internal DataNode RPC Port (Immediate Mitigation)
The DataNode RPC port is an internal cluster interface and must not be exposed to untrusted networks. This is the critical prerequisite that determines exploitability.
# Identify the DataNode RPC port (check iotdb-datanode.properties)
grep -E "^internal_address|^mpp_data_exchange_port|^data_region_consensus_port" \
conf/iotdb-datanode.properties
# Block access from untrusted networks
iptables -A INPUT -p tcp --dport <datanode_rpc_port> ! -s 10.0.0.0/8 -j DROP
# Bind DataNode to internal interface only (iotdb-datanode.properties)
# dn_rpc_address=127.0.0.1 # or your trusted internal IPStep 3: Check for Existing Exploitation
If the DataNode RPC port was exposed, inspect for signs of traversal-based file writes:
# Find recently created/modified files in unexpected locations
find / -newer /opt/iotdb/conf/iotdb-datanode.properties \
-name "*.jar" -o -name "*.jsp" -o -name "*.php" 2>/dev/null | \
grep -v /opt/iotdb/
# Check cron directories for unauthorized entries
ls -lat /etc/cron.d/ /etc/cron.hourly/ /var/spool/cron/
# Review IoTDB trigger upload logs
grep -i "trigger\|jar\|upload" /var/log/iotdb/log_info*.log | tail -100Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected files in system directories | Successful path traversal write |
JAR file names containing ../ in logs | Exploitation attempt |
| DataNode RPC port reachable from internet | Critical exposure |
| New cron jobs or web shell files | Post-exploitation activity |
Post-Remediation Steps
- Upgrade to Apache IoTDB 2.0.8 as the primary fix
- Firewall all internal DataNode RPC ports — treat as trusted-network-only
- Audit filesystem for unexpected files written during the exposure window
- Review all Trigger definitions in IoTDB for unauthorized triggers
- Rotate any credentials stored on the IoTDB host
- Apply also for CVE-2026-24013 — both are fixed in the same 2.0.8 release