PT-2026-55880 · Apache · Apache Iotdb

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-24014

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache IoTDB versions 1.3.3 through 2.0.7
Description The internal RPC interface of the Apache IoTDB DataNode used for creating Trigger instances fails to sufficiently validate the name of the uploaded Trigger JAR when constructing a file path. If the internal DataNode RPC port is exposed to an untrusted network, an attacker can use path traversal sequences in the JAR name to write files outside the designated Trigger installation directory. This allows for arbitrary file write operations with the permissions of the IoTDB process.
Recommendations Upgrade to version 2.0.8.

Unrestricted File Upload

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-24014

Affected Products

Apache Iotdb