Apache IoTDB Discloses Sensitive Information via Log Files

GHSA-5fc3-pqf2-57cx · CVE-2025-26864 · PYSEC-2025-60

Published May 14, 2025 · Modified Jul 2, 2025

Description

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.

This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.

Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-26864
WEB https://github.com/apache/iotdb/pull/14863
WEB https://github.com/apache/iotdb/commit/34fcaff6b72470d5ad369307dde7fae8897aea7e
PACKAGE https://github.com/apache/iotdb
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-60.yaml
WEB https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162
WEB http://www.openwall.com/lists/oss-security/2025/05/14/4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes