DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23906: The Ghost in the LDAP: Apache Druid Authentication Bypass

#security #cve #cybersecurity

The Ghost in the LDAP: Apache Druid Authentication Bypass

Vulnerability ID: CVE-2026-23906
CVSS Score: 9.8
Published: 2026-02-10

Apache Druid, the high-performance real-time analytics database, has dropped the ball on basic authentication logic. By failing to differentiate between an 'anonymous' LDAP bind and a 'user' LDAP bind, Druid allows attackers to log in as any user—including administrators—simply by providing an empty password. This is a classic protocol confusion vulnerability that turns a misconfigured LDAP server into a golden key for your data warehouse.

TL;DR

If you use LDAP for Apache Druid authentication and your LDAP server allows anonymous binds (a common default), anyone can log in as 'admin' by sending an empty password. CVSS 9.8. Upgrade to 36.0.0 immediately or disable anonymous binds in LDAP.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287 (Improper Authentication)
  • Attack Vector: Network
  • CVSS: 9.8 (Critical)
  • Impact: Full Admin Access / Potential RCE
  • EPSS Score: 0.03%
  • Exploit Status: Trivial / Conceptual

Affected Systems

  • Apache Druid 0.17.0 through 35.x
  • Druid clusters using druid-basic-security extension
  • Druid clusters configured with LDAP authentication
  • Apache Druid: >= 0.17.0, < 36.0.0 (Fixed in: 36.0.0)

Code Analysis

Commit: unknown

Logic added to reject empty passwords in LdapAuthenticator

if (password.isEmpty()) { return authenticationFailed(); }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Manual exploitation via HTTP POST with empty password field

Mitigation Strategies

  • Upgrade Apache Druid to version 36.0.0 or later.
  • Disable anonymous binding on the backend LDAP/Active Directory server.
  • Restrict network access to Druid management interfaces.

Remediation Steps:

  1. Download the Apache Druid 36.0.0 release binary.
  2. Stop the Druid cluster services (Coordinator, Router, Broker, etc.).
  3. Replace the binaries and update libraries.
  4. Restart the cluster.
  5. Verify the fix by attempting to log in with a valid username and an empty password.

References

Read the full report for CVE-2026-23906 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)