CVE-2026-24713
Published: 09 March 2026
Summary
CVE-2026-24713 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Iotdb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of information inputs at defined points, comprehensively addressing the improper input validation (CWE-20) root cause in Apache IoTDB.
Requires identification, reporting, testing, and timely installation of software flaw remediations, aligning with Apache's upgrade recommendation to patched IoTDB versions 1.3.7 or 2.0.7.
Vulnerability scanning detects deployed instances of affected Apache IoTDB versions and triggers remediation to prevent remote exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable improper input validation flaw in a public-facing Apache IoTDB instance (no auth or user interaction required) that directly enables initial access, data access/modification, and availability impact; this maps cleanly to T1190 Exploit Public-Facing Application.
NVD Description
Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.
Deeper analysisAI
CVE-2026-24713 is an Improper Input Validation vulnerability (CWE-20, CWE-917) in Apache IoTDB, an open-source IoT database for time-series data management. The flaw affects Apache IoTDB versions from 1.0.0 up to but not including 1.3.7, and from 2.0.0 up to but not including 2.0.7. Published on March 9, 2026, it carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
A remote attacker with network access to an affected Apache IoTDB instance can exploit this vulnerability without authentication or user interaction. Successful exploitation allows the attacker to achieve high-impact effects, including unauthorized access to sensitive data, modification of database contents, and disruption of service availability.
Apache advisories recommend upgrading to Apache IoTDB version 1.3.7 or 2.0.7, which remediate the vulnerability. Additional details are available in the official Apache announcement at https://lists.apache.org/thread/vopgv6y2ccw403b0zv7rvojjrh7x1j5p and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/03/09/4.
Details
- CWE(s)