CVE-2026-40009
MEDIUMApache IoTDB 2.0.8 to < 2.0.10 - Authenticated Privilege Escalation
Title source: manualDescription
Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/65hh7dh28rcxlzdzwdpt630321tr8b61
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
11.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-269
CWE-284
Status
published
Products (1)
Apache Software Foundation/Apache IoTDB
2.0.8 - 2.0.10
Published
Jul 10, 2026
Tracked Since
Jul 10, 2026