Arbitrary file upload in Apache Software Foundation Iotdb
CVE-2026-24014
Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an a…
Affected products
- Apache Software Foundation Iotdb — versions 1.3.3
Weakness classification (CWE)
References
- security@apache.org (vendor-advisory)