CVE-2026-62764
Received Received - Intake

Denial of Service in Apache Accumulo via Command Injection

Vulnerability report for CVE-2026-62764, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Apache Software Foundation

Description

Improper Handling of Insufficient Privileges vulnerability in Apache Accumulo. An authenticated, but low-privileged user without system permissions may issue a remote command to gracefully shutdown system components (compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver), leading to a denial of service. This issue affects Apache Accumulo 2.1.4 and 2.1.5. Users are recommended to upgrade to version 2.1.6, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache accumulo From 2.1.4 (inc) to 2.1.5 (inc)
apache accumulo 2.1.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-274 The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Apache Accumulo allows an authenticated but low-privileged user without system permissions to remotely issue a graceful shutdown command to critical system components like compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver. This leads to a denial of service as the server honors the shutdown request despite the action being logged as denied.

Detection Guidance

Check Apache Accumulo logs for unauthorized shutdown requests or commands issued by low-privileged users. Monitor for unexpected service terminations in compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver components.

Impact Analysis

An attacker with low privileges could exploit this to shut down essential Accumulo services, disrupting operations and causing downtime for the entire cluster. This impacts availability and could lead to data processing interruptions or loss of access to critical system functions.

Compliance Impact

This vulnerability does not directly impact compliance with GDPR, HIPAA, or similar standards as it primarily causes denial of service through unauthorized shutdowns of system components. However, it could indirectly affect compliance by disrupting data availability, which is a key requirement under regulations like GDPR (data integrity) and HIPAA (service availability). Organizations must ensure system resilience and timely patching to maintain compliance.

Mitigation Strategies

Upgrade Apache Accumulo to version 2.1.6 immediately. Verify all services are running after upgrade. Restrict user permissions to prevent unauthorized shutdown commands.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart