PatchSiren cyber security CVE debrief
CVE-2026-28564 Apache Software Foundation CVE debrief
CVE-2026-28564 is a critical vulnerability in Apache IoTDB, affecting versions from 1.0.0 before 2.0.10. The issue involves Insufficient Session Expiration and Authentication Bypass by Capture-replay, allowing attackers to bypass authentication and potentially gain unauthorized access. Users are recommended to upgrade to version 2.0.10 to fix the issue. This vulnerability has a CVSS score of 9.8 and is considered critical. The vulnerability's impact is significant, as it allows attackers to bypass authentication and potentially gain unauthorized access to Apache IoTDB systems.
- Vendor
- Apache Software Foundation
- Product
- Apache IoTDB
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Apache IoTDB versions from 1.0.0 to 2.0.9 should upgrade to version 2.0.10 to address the vulnerability. This includes operators, administrators, and security teams responsible for managing and securing Apache IoTDB systems. The vulnerability's impact is significant, as it allows attackers to bypass authentication and potentially gain unauthorized access to Apache IoTDB systems.
Technical summary
The vulnerability is caused by insufficient session expiration and authentication bypass by capture-replay in Apache IoTDB's REST Basic Authentication. This allows attackers to bypass authentication and potentially gain unauthorized access. The issue has a CVSS score of 9.8 and is considered critical. The vulnerability affects Apache IoTDB versions from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10 to fix the issue.
Defensive priority
High
Recommended defensive actions
- Upgrade Apache IoTDB to version 2.0.10 or later
- Review and update authentication and session management configurations
- Monitor for suspicious activity and implement additional security measures
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-10T08:16:21.897Z and last modified on 2026-07-10T16:16:28.493Z. The NVD entry is currently Deferred. The vulnerability affects Apache IoTDB versions from 1.0.0 before 2.0.10, and users are recommended to upgrade to version 2.0.10 to fix the issue. Evidence of the vulnerability's existence and impact is based on the official CVE record and NVD entry.
Official resources
-
CVE-2026-28564 CVE record
CVE.org
-
CVE-2026-28564 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T08:16:21.897Z and has not been modified since then. The NVD entry is currently Deferred.