PT-2026-57107 · Apache · Apache Iotdb
Andrea Cosentino
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-40008
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache IoTDB versions 1.0.0 through 2.0.9
Description
The pipe processor reads a fully qualified Java class name and instantiates it using the
Class.forName().newInstance() function without validation or allowlisting. This unsafe reflection allows an attacker to force the instantiation of arbitrary classes on the classpath via RPC without authentication. If a suitable gadget class is present, this can lead to remote code execution and full compromise of the process.Recommendations
Upgrade to version 2.0.10.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Iotdb