Arbitrary file upload in Apache Software Foundation Iotdb

CVE-2026-24014

Apache IoTDB DataNode’s internal RPC interface for creating Trigger instances uses the uploaded Trigger JAR name to build a file path without sufficient validation. If the internal DataNode RPC port is exposed to an untrusted network, an a…

Affected products

Weakness classification (CWE)

References