Apache Druid
12 CVEs affecting Apache Druid. Latest disclosed: 2026-02-10. Critical: 2, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-23906 | Critical | 9.8 | 2026-02-10 | Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic… |
CVE-2025-59390 | Critical | 9.8 | 2025-11-26 | Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not expli… |
CVE-2021-26919 | High | 8.8 | 2021-03-30 | Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set… |
CVE-2021-25646 | High | 8.8 | 2021-01-29 | Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in hig… |
CVE-2024-45537 | Medium | 6.5 | 2024-09-17 | Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid… |
CVE-2021-36749 | Medium | 6.5 | 2021-09-24 | In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to… |
CVE-2021-26920 | Medium | 6.5 | 2021-07-02 | In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to… |
CVE-2020-1958 | Medium | 6.5 | 2020-04-01 | When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.user… |
CVE-2021-44791 | Medium | 6.1 | 2022-07-07 | In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possibl… |
CVE-2025-27888 | Medium | 5.4 | 2025-03-20 | Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), U… |
CVE-2024-45384 | Medium | 5.3 | 2024-09-17 | Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apa… |
CVE-2022-28889 | Medium | 4.3 | 2022-07-07 | In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the C… |