CVE-2021-26920

CVE-2021-26920 is a medium-severity vulnerability in Apache Druid with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-610.

Key facts

Description

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

Frequently asked questions

What is CVE-2021-26920?
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
How severe is CVE-2021-26920?
CVE-2021-26920 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2021-26920 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 10% (95th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-26920?
CVE-2021-26920 affects Apache Druid. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-26920?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-26920 published?
CVE-2021-26920 was published on 2021-07-02 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Druid

All CVEs affecting Apache Druid →

Other CWE-610 vulnerabilities

Browse all CWE-610 vulnerabilities →