PT-2026-57107 · Apache · Apache Iotdb

Andrea Cosentino

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-40008

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache IoTDB versions 1.0.0 through 2.0.9
Description The pipe processor reads a fully qualified Java class name and instantiates it using the Class.forName().newInstance() function without validation or allowlisting. This unsafe reflection allows an attacker to force the instantiation of arbitrary classes on the classpath via RPC without authentication. If a suitable gadget class is present, this can lead to remote code execution and full compromise of the process.
Recommendations Upgrade to version 2.0.10.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-40008

Affected Products

Apache Iotdb