Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6.

Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.
Published: 2026-06-26
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache IoTDB contains a path traversal flaw caused by inadequate restriction of pathname limits. An attacker can provide crafted input that resolves to directories outside the intended root, allowing the reading of arbitrary files, and if the exposed interfaces permit, the potential for writing to any location the process can access (inferred). This weakness is classified as CWE‑22 and may lead to disclosure of sensitive configuration or operating system files, potentially affecting confidentiality of the system.

Affected Systems

Apache IoTDB maintained by the Apache Software Foundation. Versions 2.0.0 through 2.0.5 and 1.0.0 through 1.3.5 are impacted. Any deployment of these versions is vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity, while EPSS data is not available, suggesting a low probability of exploitation at this time. Path traversal vulnerabilities may pose a high risk, especially when exposed through network-accessible interfaces (inferred). The flaw is not listed in the CISA KEV catalog, so there is no current evidence of exploitation in the wild. Based on the description, it is inferred that the flaw could be triggered by users capable of interacting with IoTDB’s file handling mechanisms, whether authenticated or unauthenticated.

Generated by OpenCVE AI on June 26, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache IoTDB to version 1.3.6 or 2.0.6, the releases that contain the path traversal fix.
  • Restrict network exposure of the IoTDB instance so that only trusted clients and authenticated users can send requests that involve file paths.
  • Implement strict server-side validation that ensures all file accesses are confined to designated directories, rejecting or sanitizing any paths that attempt to escape the intended root.

Generated by OpenCVE AI on June 26, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache iotdb
Vendors & Products Apache
Apache iotdb

Fri, 26 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 2.0.0 before 2.0.6, from 1.0.0 before 1.3.6. Users are recommended to upgrade to version 1.3.6 and 2.0.6, which fixes the issue.
Title Apache IoTDB: Path Traversal Vulnerability
Weaknesses CWE-22
References

Subscriptions

Apache Iotdb
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-26T18:35:21.837Z

Reserved: 2025-08-05T02:18:45.095Z

Link: CVE-2025-55017

cve-icon Vulnrichment

Updated: 2026-06-26T12:52:04.493Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')