CVE-2026-24012
HIGHApache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Title source: cnaDescription
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/0g5th1t2vj6j8hm5t9w3xh9n6f6ht9z8
Scores
CVSS v3
7.5
EPSS
0.0055
EPSS Percentile
42.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
apache/iotdb
1.3.3 - 2.0.8
Apache Software Foundation/Apache IoTDB
1.3.3 - 2.0.8
Published
Jul 06, 2026
Tracked Since
Jul 06, 2026