Back to overview

CVE-2026-24012

HIGH
7.5
CVSS 3.1
Description
Uncontrolled Resource Consumption vulnerability in Apache IoTDB.  Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.

Metadata

CVE ID
CVE-2026-24012
State
PUBLISHED
Assigner
apache
Reserved
2026-01-20 02:30 UTC
Published
2026-07-06 08:38 UTC
Last updated
2026-07-06 12:59 UTC
Primary CWE
CWE-400
CWE-400 Uncontrolled Resource Consumption
Vendor / Product
Apache Software Foundation / Apache IoTDB
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache IoTDB 1.3.3 < 2.0.8
Weakness (CWE)
CWESourceDescription
CWE-400 cna CWE-400 Uncontrolled Resource Consumption
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Back to overview