Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2805 articles · 174872 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-40005EXPLOITEDPATCHED
apache · iotdb

Apache IoTDB: Path Traversal in Pipe File Transfer Receiver

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Affected Products

VendorProductVersions
apacheiotdb1.0.0

References

  • https://lists.apache.org/thread/zw2vkbmy5xkf5y8g237v81hrs4c6b5lq(vendor-advisory)

Related News (2 articles)

Tier C
oss-security3d ago
CVE-2026-40005: Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-40005 | Apache IoTDB up to 2.0.9 File System path traversal
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
2.0.10
CWECWE-22
PublishedJul 10, 2026
Last enriched2d agov2
Trending Score47
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-49844EXP
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Trending: 64
CRITICALCVE-2026-40008EXP
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Trending: 47
CRITICALCVE-2026-28564EXP
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Trending: 47
HIGHCVE-2026-40452EXP
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Trending: 42
HIGHCVE-2026-40454EXP
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Trending: 42

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 10, 2026
Discovered by ZDM
Jul 10, 2026
Updated: severity, affectedVersions, activelyExploited
Jul 10, 2026
Actively Exploited
Jul 10, 2026
Patch Available
Jul 10, 2026

Version History

v2
Last enriched 2d ago
v2Tier C3d ago

Updated severity to CRITICAL, added affected version 2.0.9, and noted that no exploit exists.

severityaffectedVersionsactivelyExploited
via VulDB
v13d ago

Initial creation