CVE-2026-40452 in IoTDBinfo

Summary

by MITRE • 07/10/2026

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users.


This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability described represents a critical authorization bypass flaw in Apache IoTDB that compromises improper access control mechanisms within the system's REST API endpoints. This security weakness specifically targets the /rest/v2/fastLastQuery interface where last-value data becomes accessible to unauthorized authenticated users who should not have such privileges. The vulnerability exists due to inadequate validation of user permissions and roles when processing requests through this particular API endpoint, creating a pathway for privilege escalation attacks that can result in unauthorized data exposure.

The technical implementation of this flaw stems from insufficient authorization checks within the IoTDB service's RESTful architecture where authenticated users can potentially exploit the fastLastQuery functionality to access sensitive time-series data without proper clearance. This issue manifests as an incorrect authorization condition that allows users with basic authentication credentials to retrieve last-value information that should be restricted based on user roles or access levels. The vulnerability impacts both version 1.3.5 through 1.3.7 and 2.0.5 through 2.0.9, indicating a widespread problem affecting multiple release branches of the IoTDB platform.

The operational impact of this vulnerability is significant for organizations relying on Apache IoTDB for industrial IoT data management where last-value data often contains sensitive operational information, sensor readings, or time-series metrics that should remain protected. Attackers who can exploit this vulnerability can gain access to historical data points and real-time measurements that may contain proprietary information, operational parameters, or system status indicators that could be leveraged for further attacks or competitive intelligence gathering. This authorization bypass directly violates the principle of least privilege and could enable attackers to perform reconnaissance activities or extract valuable data without detection.

This vulnerability aligns with CWE-285 which addresses improper authorization conditions in software systems, and maps to ATT&CK technique T1078.004 for Valid Accounts usage where legitimate credentials are leveraged to access restricted functionality. Organizations should prioritize immediate remediation by upgrading to version 2.0.10 as recommended, which implements proper authorization controls within the REST API endpoints to prevent unauthorized data access. Additional mitigations include implementing network-level restrictions on the REST API, monitoring for unusual query patterns targeting fastLastQuery, and conducting thorough access control reviews to ensure that user permissions align with their operational requirements. The fix addresses the core issue by strengthening permission validation checks before allowing access to time-series data retrieval functions within the IoTDB service architecture.

Responsible

Apache

Reservation

04/13/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!