Description
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. 

Some interface fails to impose reasonable
limits on the time span and aggregation interval of the query. An attacker
can construct a request with extreme parameters (e.g., a very large time
range combined with a minimal interval). This forces the DataNode to build
an enormous result set in memory, which exhausts the Java heap and causes
the DataNode process to crash.

This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.

Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache IoTDB lacks limits on the time span and aggregation interval in certain query interfaces. An attacker can craft a request with a very large time range and a minimal interval, forcing the DataNode to construct an enormous result set in memory. The massive allocation exhausts the Java heap, leading the process to crash and causing a service interruption for all clients.

Affected Systems

The vulnerability affects Apache IoTDB versions from 1.3.3 up to, but not including, 2.0.8. All deployments of these versions that expose the affected aggregation queries are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity denial-of-service condition, while the EPSS score of less than 1% suggests the probability of exploitation is low but not negligible. The issue is not listed in the CISA KEV catalog. The likely attack vector over the network to a vulnerable DataNode; based on the description, it is inferred that no special privileges are required. Because the flaw relies only on configurable query parameters, it is straightforward for an external actor to trigger the crash once the vulnerable service is reachable.

Generated by OpenCVE AI on July 6, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache IoTDB to version 2.0.8 or later, which removes the unbounded aggregation limits.
  • If an upgrade is not immediately possible, restrict the maximum time range and aggregation interval for queries at the application or network level to prevent the creation of overly large result sets.
  • Monitor Java heap usage on DataNode processes and apply memory limits or restart policies to minimize service disruption if an accidental crash occurs.

Generated by OpenCVE AI on July 6, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache iotdb
Vendors & Products Apache
Apache iotdb

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Title Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Weaknesses CWE-400
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T20:37:56.860Z

Reserved: 2026-01-20T02:30:29.932Z

Link: CVE-2026-24012

cve-icon Vulnrichment

Updated: 2026-07-06T20:37:56.860Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T21:15:16Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption