CVE-2026-23906
Modified Modified - Updated After Analysis
Authentication Bypass in Apache Druid via LDAP Anonymous Bind

Publication date: 2026-02-10

Last updated on: 2026-02-12

Assigner: Apache Software Foundation

Description
Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind                                                                                                                                                    Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment                                                                                                                                                                                     Mitigation   Immediate Mitigation (No Druid Upgrade Required):                                                                                                                                                   * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-12
Generated
2026-05-06
AI Q&A
2026-02-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23906
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache druid From 0.17.0 (inc) to 36.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an authentication bypass in Apache Druid when using the druid-basic-security extension with LDAP authentication.

If the LDAP server allows anonymous binds, an attacker can bypass authentication by submitting an existing username with an empty password.

This happens because the system improperly validates LDAP authentication responses, treating anonymous bind success as valid user authentication.


How can this vulnerability impact me? :

A remote, unauthenticated attacker can exploit this vulnerability to gain unauthorized access to the Apache Druid cluster.

  • Access sensitive data stored in Druid datasources.
  • Execute queries and potentially manipulate data.
  • Access administrative interfaces if the bypassed account has elevated privileges.

Overall, this can lead to complete compromise of the confidentiality, integrity, and availability of the Druid deployment.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.

Additionally, upgrading Apache Druid to version 36.0.0 or later will resolve the issue by properly rejecting anonymous LDAP bind attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart