CVE-2025-26864

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.

This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2.

Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Published: May 14, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-26864
GHSA: GHSA-5fc3-pqf2-57cx
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-200
CWE-532

Affected Software
References

Software	From	Fixed in
org.apache.iotdb / node-commons	0.10.0	1.3.4
org.apache.iotdb / node-commons	2.0.1-beta	2.0.2
apache / iotdb	0.10.0	1.3.4
apache / iotdb	2.0.1-beta	2.0.1-beta.x
apache-iotdb	0.10.0	1.3.4
apache-iotdb	2.0.1b0	2.0.2

http://www.openwall.com/lists/oss-security/2025/05/14/4
https://github.com/apache/iotdb/commit/34fcaff6b72470d5ad369307dde7fae8897aea7e
https://github.com/apache/iotdb/pull/14863
https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-60.yaml
https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162

Vulnerability Database

CVE-2025-26864