CVE-2025-26864

CWE-200 — Information Exposure CWE-532 — Log File Information Exposure5 documents4 sources

Severity

7.5HIGH

EPSS

0.5%

top 34.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Iotdb Apache Iotdb

Timeline

PublishedMay 14

Description

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/iotdb0.10.0 — 1.3.4+1

▶PyPIapache-iotdb0.10.0 — 1.3.4+1

▶Mavenorg.apache.iotdb:node-commons0.10.0 — 1.3.4+1

▶CVEListV5apache_software_foundation/apache_iotdb2.0.1-beta — 2.0.2+1

🔴Vulnerability Details

OSV

CVE-2025-26864: Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of↗2025-05-14

▶

GHSA

Apache IoTDB Discloses Sensitive Information via Log Files↗2025-05-14

▶

CVEList

Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication↗2025-05-14

▶

OSV

Apache IoTDB Discloses Sensitive Information via Log Files↗2025-05-14

▶