CVE-2026-24014
Received Received - Intake

Path Traversal in Apache IoTDB DataNode RPC Interface

Vulnerability report for CVE-2026-24014, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an attacker may use path traversal sequences in the JAR name to write files outside the intended Trigger installation directory. This could allow arbitrary file write with the permissions of the IoTDB process. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache iotdb From 1.3.3 (inc) to 2.0.8 (exc)
apache iotdb 2.0.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Apache IoTDB DataNode’s internal RPC interface used for creating Trigger instances. The issue arises because the system uses the uploaded Trigger JAR file name to build a file path without properly validating it. If the internal DataNode RPC port is exposed to an untrusted network, an attacker can exploit this by including path traversal sequences in the JAR name.

This allows the attacker to write files outside the intended Trigger installation directory, effectively enabling arbitrary file write operations with the permissions of the IoTDB process.

Impact Analysis

The vulnerability can lead to an attacker writing arbitrary files on the system where Apache IoTDB is running. Since the attacker can write files outside the intended directory with the same permissions as the IoTDB process, this could lead to unauthorized modification or insertion of malicious files.

Such unauthorized file writes can compromise system integrity, potentially allowing further exploitation, data corruption, or disruption of service.

Mitigation Strategies

Users are recommended to upgrade Apache IoTDB to version 2.0.8, which fixes the vulnerability.

Additionally, ensure that the internal DataNode RPC port is not exposed to untrusted networks to prevent exploitation via path traversal sequences in the Trigger JAR name.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart