Apache IoTDB contains a Path Traversal vulnerability that allows an attacker to construct pathnames that reference files outside the intended directory, potentially exposing sensitive configuration or data files. This weakness, identified as CWE‑22, can lead to unauthorized disclosure of confidential information and could be leveraged to modify key files, creating a vector for further compromise of the system. The primary impact is therefore the ability to read or alter files that should be protected by the application’s sandbox.

The vulnerability affects Apache IoTDB versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Users of the Apache Software Foundation’s Apache IoTDB deployment must verify their installation against these version ranges.

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Due to the nature of path traversal, remote attackers who can send or request commands to the IoTDB server may craft malicious paths and access arbitrary files, jeopardizing confidentiality, integrity, and potentially availability if critical configuration is altered. While the concrete CVSS score is not provided, the impact is considered high because the flaw allows direct manipulation of the file system from within the application context. Until the vendor releases a fix, the risk remains significant in environments where IoTDB is exposed to external networks or untrusted clients.