CVE-2026-23906

Name of the Vulnerable Software and Affected Versions Apache Druid versions 0.17.0 through 35.x

Description An authentication bypass issue exists in Apache Druid when the druid-basic-security extension is enabled with LDAP authentication. If the underlying LDAP server allows anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to Druid resources without valid credentials. The issue arises from improper validation of LDAP authentication responses when anonymous binds are permitted, treating anonymous bind success as valid user authentication. A remote, unauthenticated attacker can gain unauthorized access to the Druid cluster, access sensitive data, execute queries, potentially manipulate data, access administrative interfaces, and compromise the confidentiality, integrity, and availability of the deployment.

Recommendations Versions 0.17.0 through 35.x: Disable anonymous bind on your LDAP server. Versions 0.17.0 through 35.x: Upgrade to version 36.0.0 or later.