Cyber Posture

CVE-2026-23906

Critical

Published: 10 February 2026

Published
10 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 20.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23906 is a critical-severity Improper Authentication (CWE-287) vulnerability in Apache Druid. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediates the specific software flaw in Apache Druid that improperly treats anonymous LDAP bind success as valid user authentication.

CM-6 Configuration Settings good match
prevent

Enforces secure configuration settings on the LDAP server to disable anonymous binds, directly preventing the authentication bypass exploitation.

IA-5 Authenticator Management good match
prevent

Manages authenticators to ensure sufficient strength of mechanism and prohibit weak or null authenticators like empty passwords exploited in this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Auth bypass on exposed Druid service directly enables T1190 (public app exploit) to access via T1078 (valid LDAP accounts).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass…

more

vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment Mitigation Immediate Mitigation (No Druid Upgrade Required): * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.

Deeper analysisAI

CVE-2026-23906 is an authentication bypass vulnerability in Apache Druid versions 0.17.0 through 35.x (all versions prior to 36.0.0). It affects deployments using the druid-basic-security extension with an LDAP authenticator configured, provided the underlying LDAP server permits anonymous binds. The issue arises from improper validation of LDAP authentication responses, where success on an anonymous bind is incorrectly treated as valid user authentication, allowing an attacker to bypass credentials by submitting an existing username paired with an empty password.

A remote, unauthenticated attacker can exploit this vulnerability to gain unauthorized access to the Apache Druid cluster. Successful exploitation enables access to sensitive data in Druid datasources, execution of queries, potential data manipulation, and access to administrative interfaces if the bypassed account has elevated privileges. This can result in complete compromise of the confidentiality, integrity, and availability of the Druid deployment, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-287 (Improper Authentication).

Advisories recommend immediate mitigation by disabling anonymous binds on the LDAP server, which prevents exploitation without requiring a Druid upgrade. For full resolution, upgrade to Apache Druid 36.0.0 or later, which rejects anonymous LDAP bind attempts. Details are available in the Apache security announcement at https://lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4sr and oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/02/09/5.

Details

CWE(s)
CWE-287

Affected Products

apache
druid
0.17.0 — 36.0.0

CVEs Like This One

CVE-2026-29145Same vendor: Apache
CVE-2026-33409Shared CWE-287
CVE-2025-24783Same vendor: Apache
CVE-2026-24343Same vendor: Apache
CVE-2025-61622Same vendor: Apache
CVE-2024-52577Same vendor: Apache
CVE-2026-41635Same vendor: Apache
CVE-2025-62235Same vendor: Apache
CVE-2026-24038Shared CWE-287
CVE-2025-67895Same vendor: Apache

References