Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2805 articles · 174872 vulns · 37/41 feeds (7d)
← Back to list
7.5
CVE-2026-40452EXPLOITEDPATCHED
apache · iotdb

Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users

Description

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.

Affected Products

VendorProductVersions
apacheiotdb1.3.5, 2.0.5

References

  • https://lists.apache.org/thread/04j2l6dosyboor4o2gvrzbrcrpllmh95(vendor-advisory)

Related News (2 articles)

Tier C
oss-security3d ago
CVE-2026-40452: Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-40452 | Apache IoTDB up to 1.3.7/2.0.9 FastLastQuery /rest/v2/fastLastQuery authorization
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.3.82.0.10
CWECWE-863, CWE-284
PublishedJul 10, 2026
Last enriched2d agov2
Trending Score42
Source articles2
Independent2
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-49844EXP
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Trending: 64
CRITICALCVE-2026-40008EXP
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Trending: 47
CRITICALCVE-2026-40005EXP
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Trending: 47
CRITICALCVE-2026-28564EXP
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Trending: 47
HIGHCVE-2026-40454EXP
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Trending: 42

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 10, 2026
Discovered by ZDM
Jul 10, 2026
Updated: affectedVersions, severity, activelyExploited
Jul 10, 2026
Actively Exploited
Jul 10, 2026
Patch Available
Jul 10, 2026

Version History

v2
Last enriched 2d ago
v2Tier C3d ago

Updated affected versions to include 1.3.7 and 2.0.9, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseverityactivelyExploited
via VulDB
v13d ago

Initial creation