CVE-2026-23906 – This authentication bypass vulnerability in Apa... (How to Fix)

Q: What is the severity of CVE-2026-23906?

CVE-2026-23906 has a CVSS score of 9.8 (CRITICAL). This authentication bypass vulnerability in Apache Druid allows attackers to gain unauthorized access by exploiting LDAP anonymous bind configurations. Organizations using Druid with basic security extension and LDAP authentication are affected if their LDAP server permits anonymous binds.

📋 TL;DR

This authentication bypass vulnerability in Apache Druid allows attackers to gain unauthorized access by exploiting LDAP anonymous bind configurations. Organizations using Druid with basic security extension and LDAP authentication are affected if their LDAP server permits anonymous binds.

💻 Affected Systems

Products:

Apache Druid

Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires druid-basic-security extension enabled, LDAP authenticator configured, and underlying LDAP server permitting anonymous binds.

📦 What is this software?

Druid by Apache

View all CVEs affecting Druid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Druid deployment including unauthorized access to sensitive data, data manipulation, administrative control, and potential data exfiltration.

🟠

Likely Case

Unauthorized access to Druid resources and sensitive data stored in datasources, with potential for data exposure and unauthorized queries.

🟢

If Mitigated

No impact if LDAP anonymous bind is disabled or Druid is upgraded to patched version.

🌐 Internet-Facing: HIGH - Remote unauthenticated attackers can exploit this vulnerability without credentials.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability to gain unauthorized access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of existing usernames and LDAP server allowing anonymous binds.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 36.0.0

Vendor Advisory: https://lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4sr

Restart Required: Yes

Instructions:

1. Download Apache Druid version 36.0.0 or later. 2. Stop Druid services. 3. Backup configuration and data. 4. Install new version. 5. Restart Druid services. 6. Verify authentication works correctly.

🔧 Temporary Workarounds

Disable LDAP Anonymous Bind

all

Configure LDAP server to reject anonymous bind requests

# LDAP server configuration varies by implementation
# Consult your LDAP server documentation for disabling anonymous binds

🧯 If You Can't Patch

Disable anonymous bind on LDAP server immediately
Implement network segmentation to restrict access to Druid instances
Enable additional authentication layers or IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check if using Druid versions 0.17.0-35.x with druid-basic-security extension and LDAP authentication configured, and verify LDAP server allows anonymous binds.

Check Version:

Check Druid version in web UI or via API endpoint, or examine server logs for version information.

Verify Fix Applied:

After upgrade to 36.0.0+, test authentication with empty password for existing users - should be rejected. Verify LDAP anonymous bind is disabled on LDAP server.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with empty passwords
Successful authentication from unexpected sources
LDAP anonymous bind attempts

Network Indicators:

Authentication requests with empty password fields
Unusual query patterns from new/unexpected sources

SIEM Query:

source="druid" AND (auth_failure OR "empty password" OR "anonymous bind")

📊 Metadata

CVE ID: CVE-2026-23906

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: February 10, 2026

Last Updated: February 12, 2026

🔗 References

https://lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4sr Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/09/5

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23906, you might also want to check these: