CVE-2025-26864 – Apache IoTDB's OpenIdAuthorizer component logs ... (How to Fix)

Q: What is the severity of CVE-2025-26864?

CVE-2025-26864 has a CVSS score of 7.5 (HIGH). Apache IoTDB's OpenIdAuthorizer component logs sensitive authentication information, potentially exposing credentials or tokens to unauthorized actors. This affects all users running vulnerable versions of Apache IoTDB. Attackers with access to log files could obtain authentication secrets.

📋 TL;DR

Apache IoTDB's OpenIdAuthorizer component logs sensitive authentication information, potentially exposing credentials or tokens to unauthorized actors. This affects all users running vulnerable versions of Apache IoTDB. Attackers with access to log files could obtain authentication secrets.

💻 Affected Systems

Products:

Apache IoTDB

Versions: 0.10.0 through 1.3.3, 2.0.1-beta before 2.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using OpenIdAuthorizer authentication component

📦 What is this software?

Iotdb by Apache

View all CVEs affecting Iotdb →

Iotdb by Apache

View all CVEs affecting Iotdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to authentication credentials or tokens, leading to full system compromise, data theft, or privilege escalation within the IoTDB environment.

🟠

Likely Case

Unauthorized actors with log file access extract sensitive authentication information, potentially enabling further attacks against the IoTDB system or connected systems.

🟢

If Mitigated

With proper log file permissions and access controls, exposure is limited to authorized administrators only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files containing sensitive information

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 or 2.0.2

Vendor Advisory: https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162

Restart Required: Yes

Instructions:

1. Download Apache IoTDB version 1.3.4 or 2.0.2 from official sources. 2. Stop the IoTDB service. 3. Backup configuration and data. 4. Replace with patched version. 5. Restart IoTDB service.

🔧 Temporary Workarounds

Restrict log file permissions

linux

Set strict file permissions on IoTDB log directories to prevent unauthorized access

chmod 600 /path/to/iotdb/logs/*
chown iotdb:iotdb /path/to/iotdb/logs/*

Disable OpenIdAuthorizer logging

all

Configure logging to exclude sensitive authentication information from logs

Modify log4j2.xml to set OpenIdAuthorizer logging level to ERROR or higher

🧯 If You Can't Patch

Implement strict access controls on log directories and files
Monitor log files for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check IoTDB version using version command or configuration files

Check Version:

./sbin/start-cli.sh -v or check pom.xml/version file

Verify Fix Applied:

Verify installed version is 1.3.4 or higher (for 1.x) or 2.0.2 or higher (for 2.x)

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to log files
Sensitive authentication strings appearing in log entries

Network Indicators:

Unusual access patterns to log file locations

SIEM Query:

source="iotdb_logs" AND (event_type="authentication" AND message="*token*" OR message="*credential*")

📊 Metadata

CVE ID: CVE-2025-26864

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.14% exploit probability (33.6th percentile)

Published: May 14, 2025

Last Updated: July 1, 2025

🔗 References

https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/05/14/4 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26864, you might also want to check these: