CVE-2022-26112 in Pinot
Summary
by MITRE • 09/23/2022
In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/28/2025
The vulnerability identified as CVE-2022-26112 affects Apache Pinot versions 0.10.0 and earlier, presenting a critical security risk in unprotected environments where the system operates without proper access controls. This flaw resides within the query endpoint and realtime ingestion layer of the database system, making it particularly dangerous as it can be exploited during both query processing and data ingestion phases. The vulnerability specifically stems from the inclusion of groovy function support within the system, which creates an attack surface that malicious actors can leverage for unauthorized access and potential system compromise.
The technical implementation of this vulnerability involves the groovy scripting engine being enabled by default in older versions of Apache Pinot, allowing remote attackers to execute arbitrary code through crafted queries or ingestion requests. This represents a classic command injection vulnerability where the groovy runtime environment can be manipulated to execute malicious scripts. The flaw aligns with CWE-94, which describes "Improper Control of Generation of Code" and specifically relates to insufficient control over code generation mechanisms. The vulnerability operates at the application layer and can be exploited through the HTTP endpoints that handle query processing and real-time data ingestion, making it particularly dangerous in environments where these services are exposed to untrusted networks.
The operational impact of this vulnerability is severe as it allows attackers to gain arbitrary code execution capabilities within the Apache Pinot environment, potentially leading to complete system compromise, data exfiltration, or service disruption. Attackers can leverage this vulnerability to execute malicious groovy scripts that can access system resources, modify data, or even escalate privileges within the affected environment. The risk is particularly elevated in unprotected environments where network segmentation and access controls are not properly implemented, as the vulnerability can be exploited remotely without authentication. This aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Groovy" and represents a critical path for lateral movement and privilege escalation within affected systems.
The mitigation strategy for CVE-2022-26112 involves upgrading to Apache Pinot version 0.11.0 or later, where the groovy function support has been disabled by default. This upgrade represents the primary defense mechanism as it removes the vulnerable functionality from the system entirely. Organizations should also implement proper network segmentation to ensure that Pinot services are not directly exposed to untrusted networks, and should consider additional access controls and monitoring mechanisms to detect potential exploitation attempts. The vulnerability serves as a reminder of the importance of keeping software components updated and the critical nature of disabling unnecessary functionality, particularly in database systems where code execution capabilities can lead to severe security breaches. Security teams should also implement regular vulnerability assessments and penetration testing to identify similar issues in other database components and ensure that all systems maintain current security postures.