Description
Improper Input Validation vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
Published: 2026-03-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Input Validation Flaw
Action: Immediate Patch
AI Analysis

Impact

Apache IoTDB suffers from an improper input validation flaw that allows attackers to inject malicious JEXL expressions through query inputs. The injection vulnerability may enable manipulation of the server’s processing of expressions, potentially exposing the database to unauthorized processing of user‑supplied data. The flaw is rooted in the CWE‑20 and CWE‑917 weaknesses.

Affected Systems

Affected installations include Apache IoTDB versions 1.0.0 through 1.3.6 and all releases from 2.0.0 up to 2.0.6. Users of these version ranges are vulnerable and need remediation before deploying new features or data ingestion pipelines.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity, but its EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. It is not currently listed in the CISA KEV catalog. Attackers could send crafted queries containing malicious JEXL syntax over the network, assuming they have query access. If successful, the injected expression could affect the server’s processing, though the exact impact is not specified in the advisory.

Generated by OpenCVE AI on April 17, 2026 at 11:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache IoTDB to version 1.3.7 or later 2.0.7 or newer, which contains the full fix for the injection flaw
  • If an upgrade is not immediately possible, restrict network access to the IoTDB query interface to only trusted hosts and enforce strict role‑based permissions to limit who can submit arbitrary queries
  • Continuously monitor query logs for unexpected JEXL patterns and apply input validation rules to reject or sanitize expressions that contain suspicious constructs

Generated by OpenCVE AI on April 17, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6w48-2g9j-v9q5 Apache IoTDB has an Improper Input Validation vulnerability
History

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
CPEs cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache iotdb
Vendors & Products Apache
Apache iotdb

Mon, 09 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
Title Apache IoTDB: JEXL Expression Injection Vulnerability
Weaknesses CWE-20
References

Subscriptions

Apache Iotdb
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-10T17:55:45.832Z

Reserved: 2026-01-26T02:40:07.150Z

Link: CVE-2026-24713

cve-icon Vulnrichment

Updated: 2026-03-09T09:19:57.439Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T09:16:02.933

Modified: 2026-03-10T18:57:14.640

Link: CVE-2026-24713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses