Auth bypass in Apache Doris
CVE-2026-58319
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially a…
Vulnerability class: Broken Authentication
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Affected products
- Apache Doris
- Apache Software Foundation Doris — versions 2.1.0
Weakness classification (CWE)
References
- security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
- af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Third Party Advisory)
Frequently asked questions
- What is CVE-2026-58319?
- CVE-2026-58319 is a critical-severity vulnerability in Apache Doris, classified under Missing Authentication for Critical Function. CVSS score: 9.1/10. Published 2026-07-14.
- How severe is CVE-2026-58319?
- Critical severity. CVSS v3 base score is 9.1 out of 10.