Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2805 articles · 174872 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-28564EXPLOITEDPATCHED
apache · iotdb

Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials

Description

Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Affected Products

VendorProductVersions
apacheiotdb1.0.0

References

  • https://lists.apache.org/thread/l38wpy7flvvfwv4rkps87l5z8gprnfy0(vendor-advisory)

Related News (2 articles)

Tier C
oss-security3d ago
CVE-2026-28564: Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-28564 | Apache IoTDB up to 2.0.9 Session Expiration authentication replay
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
2.0.10
CWECWE-613, CWE-294
PublishedJul 10, 2026
Last enriched2d agov3
Tags
authenticationbypass
Trending Score47
Source articles2
Independent2
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-49844EXP
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Trending: 64
CRITICALCVE-2026-40008EXP
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Trending: 47
CRITICALCVE-2026-40005EXP
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Trending: 47
HIGHCVE-2026-40452EXP
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Trending: 42
HIGHCVE-2026-40454EXP
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Trending: 42

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 10, 2026
Discovered by ZDM
Jul 10, 2026
Updated: description, severity, affectedVersions, activelyExploited
Jul 10, 2026
Updated: severity, affectedVersions, exploitAvailable, tags
Jul 10, 2026
Actively Exploited
Jul 10, 2026
Exploit Available
Jul 10, 2026
Patch Available
Jul 10, 2026

Version History

v3
Last enriched 2d ago
v3Tier C3d ago

Updated severity to HIGH, added new affected version 2.0.10, marked exploit as available, and added relevant tags.

severityaffectedVersionsexploitAvailabletags
via oss-security
v2Tier C3d ago

Updated severity to CRITICAL, added affected version 2.0.9, and corrected exploit availability.

descriptionseverityaffectedVersionsactivelyExploited
via VulDB
v13d ago

Initial creation