Description
Affected Products and Versions
* Apache Druid
* Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)
* Prerequisites: * druid-basic-security extension enabled
* LDAP authenticator configured
* Underlying LDAP server permits anonymous bind                                                                                                                                                   






Vulnerability Description

An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous
binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.

The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.

Impact

A remote, unauthenticated attacker can:
* Gain unauthorized access to the Apache Druid cluster
* Access sensitive data stored in Druid datasources
* Execute queries and potentially manipulate data
* Access administrative interfaces if the bypassed account has elevated privileges
* Completely compromise the confidentiality, integrity, and availability of the Druid deployment                                                                                                                                                                                    


Mitigation
 
Immediate Mitigation (No Druid Upgrade Required):                                                                                                                                                  
* Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.



Resolution
* Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
Published: 2026-02-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability in Apache Druid arises when the druid-basic-security extension is used with LDAP authentication and the underlying LDAP server permits anonymous binds. The LDAP authenticator incorrectly validates authentication responses, treating a successful anonymous bind as a valid user authentication. This flaw allows a remote, unauthenticated attacker to supply any existing username with an empty password and gain authenticated access to the Druid cluster, thereby enabling unauthorized read, query, or administrative actions on data stored in Druid datasources.

Affected Systems

Affected systems include Apache Druid releases from version 0.17.0 through 35.x, all of which lack the proper rejection of anonymous LDAP bind attempts. The vulnerability is only present when the druid-basic-security extension is enabled, an LDAP authenticator is configured, and the LDAP server accepts anonymous binds.

Risk and Exploitability

The CVSS score of 9.8 reflects a high‑impact remote exploitation scenario. Although the EPSS score is below 1%, indicating a low current exploitation probability, the issue is not listed in the CISA KEV catalog. The attack vector is remote; an attacker must be able to reach the Druid service and trigger the LDAP authentication workflow. By exploiting the permissive anonymous bind, the attacker can bypass authentication and attain full access to the cluster without valid credentials.

Generated by OpenCVE AI on April 18, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Druid to version 36.0.0 or later, which eliminates the flaw by rejecting anonymous LDAP bind attempts
  • Disable anonymous bind on your LDAP server to prevent the vulnerability from being exploitable
  • Reconfigure the druid-basic-security extension and LDAP settings to disallow anonymous binds and enforce proper authentication

Generated by OpenCVE AI on April 18, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q672-hfc7-g833 Apache Druid Vulnerable to Authentication Bypass
History

Thu, 12 Feb 2026 05:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache druid
Vendors & Products Apache
Apache druid

Tue, 10 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind                                                                                                                                                    Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment                                                                                                                                                                                     Mitigation   Immediate Mitigation (No Druid Upgrade Required):                                                                                                                                                   * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
Title Apache Druid: Authentication Bypass via LDAP Anonymous Bind
Weaknesses CWE-287
References

Subscriptions

Apache Druid
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-12T04:45:28.979Z

Reserved: 2026-01-19T08:57:10.063Z

Link: CVE-2026-23906

cve-icon Vulnrichment

Updated: 2026-02-12T04:45:28.979Z

cve-icon NVD

Status : Modified

Published: 2026-02-10T10:15:59.427

Modified: 2026-02-12T05:16:55.753

Link: CVE-2026-23906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses