Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2805 articles · 174872 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-40008EXPLOITEDPATCHED
apache · iotdb

Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC

Description

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Affected Products

VendorProductVersions
apacheiotdb1.0.0

References

  • https://lists.apache.org/thread/fm8cpvzbox2qqy99ztglm8wkk1nrg9ng(vendor-advisory)

Related News (2 articles)

Tier C
oss-security3d ago
CVE-2026-40008: Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-40008 | Apache IoTDB up to 2.0.9 Pipe Processor Class.forName externally-controlled input to select classes or code
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
2.0.10
CWECWE-470
PublishedJul 10, 2026
Last enriched3d agov3
Trending Score47
Source articles2
Independent2
Info Completeness9/14
Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-49844EXP
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Trending: 64
CRITICALCVE-2026-40005EXP
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Trending: 47
CRITICALCVE-2026-28564EXP
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Trending: 47
HIGHCVE-2026-40452EXP
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Trending: 42
HIGHCVE-2026-40454EXP
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Trending: 42

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 10, 2026
Discovered by ZDM
Jul 10, 2026
Updated: description, severity, affectedVersions, activelyExploited
Jul 10, 2026
Updated: description, affectedVersions, severity, exploitAvailable
Jul 10, 2026
Actively Exploited
Jul 10, 2026
Exploit Available
Jul 10, 2026
Patch Available
Jul 10, 2026

Version History

v3
Last enriched 3d ago
v3Tier C3d ago

Updated description with technical details, changed severity to HIGH, and noted that exploit is now available.

descriptionaffectedVersionsseverityexploitAvailable
via oss-security
v2Tier C3d ago

Updated severity to CRITICAL, added affected version 2.0.9, and corrected exploit availability.

descriptionseverityaffectedVersionsactivelyExploited
via VulDB
v13d ago

Initial creation