CVE-2026-23906
CVE-2026-23906 is a critical-severity vulnerability in Apache Druid with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 1% (60th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-6219
- Weakness: CWE-287
- Affected product: Apache Druid
- Published:
- Last modified:
Description
Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment Mitigation Immediate Mitigation (No Druid Upgrade Required): * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
Frequently asked questions
- What is CVE-2026-23906?
- Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment Mitigation Immediate Mitigation (No Druid Upgrade Required): * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
- How severe is CVE-2026-23906?
- CVE-2026-23906 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-23906 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (60th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-23906?
- CVE-2026-23906 affects Apache Druid. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-23906?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-23906 have an EU (EUVD) identifier?
- Yes. CVE-2026-23906 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-6219.
- When was CVE-2026-23906 published?
- CVE-2026-23906 was published on 2026-02-10 and last updated on 2026-06-17.
References
- https://lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4sr
- http://www.openwall.com/lists/oss-security/2026/02/09/5
Affected products (1)
- cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Druid
- CVE-2025-59390 — Critical (CVSS 9.8): Apache Druid’s Kerberos authenticator uses a weak fallback secret when the…
- CVE-2021-26919 — High (CVSS 8.8): Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted…
- CVE-2021-25646 — High (CVSS 8.8): Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This…
- CVE-2024-45537 — Medium (CVSS 6.5): Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This…
- CVE-2021-36749 — Medium (CVSS 6.5): In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP…
- CVE-2021-26920 — Medium (CVSS 6.5): In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP…
All CVEs affecting Apache Druid →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →