Apache Druid

12 CVEs affecting Apache Druid. Latest disclosed: 2026-02-10. Critical: 2, High: 2.

Top CVEs affecting Apache Druid
CVESeverityScorePublishedSummary
CVE-2026-23906Critical9.82026-02-10Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic…
CVE-2025-59390Critical9.82025-11-26Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not expli…
CVE-2021-26919High8.82021-03-30Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set…
CVE-2021-25646High8.82021-01-29Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in hig…
CVE-2024-45537Medium6.52024-09-17Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid…
CVE-2021-36749Medium6.52021-09-24In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to…
CVE-2021-26920Medium6.52021-07-02In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to…
CVE-2020-1958Medium6.52020-04-01When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.user…
CVE-2021-44791Medium6.12022-07-07In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possibl…
CVE-2025-27888Medium5.42025-03-20Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), U…
CVE-2024-45384Medium5.32024-09-17Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apa…
CVE-2022-28889Medium4.32022-07-07In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the C…