Apache Druid vulnerabilities

CVE-2026-23906 [CRITICAL] CWE-287 CVE-2026-23906: Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all ve Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass vulnerability exists in Apache Druid wh

CVE-2025-59390 [CRITICAL] CWE-338 CVE-2025-59390: Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute f

CVE-2025-27888 [MEDIUM] CWE-79 CVE-2025-27888: Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of I Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid. This issue affects all previous Druid versions. When using the Druid management proxy, a request that has a

CVE-2024-45537 [MEDIUM] CVE-2024-45537: Apache Druid allows users with certain permissions to read data from other database systems using JD Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properti

CVE-2024-45384 [MEDIUM] CWE-209 CVE-2024-45384: Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this

CVE-2021-44791 [MEDIUM] CWE-79 CVE-2021-44791: In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL paramete In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

CVE-2022-28889 [MEDIUM] CWE-1021 CVE-2022-28889: In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacki In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

CVE-2021-36749 [MEDIUM] CVE-2021-36749: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, sinc

CVE-2021-26920 [MEDIUM] CWE-610 CVE-2021-26920: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid direct

CVE-2021-26919 [HIGH] CWE-20 CVE-2021-26919: Apache Druid allows users to read data from other database systems using JDBC. This functionality is Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malic

CVE-2021-25646 [HIGH] CVE-2021-25646: Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provide

CVE-2020-1958 [MEDIUM] CWE-74 CVE-2020-1958: When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set o When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs c