Home/Product/apache druid
Product

apache druid

13 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-23906
>= 0.17.0 and < 36.0.0
Affected Products and Versions Apache Druid Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * P
9.8CRITICAL
 CVE-2025-59390
< 35.0.0
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSec
9.8CRITICAL
 CVE-2025-27888
< 31.0.2
Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generatio
5.4MEDIUM
 CVE-2024-45537
< 30.0.1
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows
6.5MEDIUM
 CVE-2024-45384
>= 0.18.0 and < 30.0.1
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session co
5.3MEDIUM
 CVE-2022-28889
< 0.23.0
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later pre
4.3MEDIUM
 CVE-2021-44791
<= 0.22.1
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML res
6.1MEDIUM
 CVE-2021-33800
all versions
In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.
7.5HIGH
 CVE-2021-36749
< 0.22.0
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource
6.5MEDIUM
 CVE-2021-26920
< 0.22.0
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource
6.5MEDIUM
 CVE-2021-26919
< 0.20.2
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with t
8.8HIGH
 CVE-2021-25646
<= 0.20.0
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionali
8.8HIGH
 CVE-2020-1958
all versions
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass
6.5MEDIUM
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh