Platform
java
Component
org.apache.druid.extensions:druid-basic-security
Fixed in
36.0.0
36.0.0
CVE-2026-23906 describes an authentication bypass vulnerability affecting Apache Druid. This flaw allows unauthorized access to Druid resources if specific conditions are met. The vulnerability impacts versions 0.17.0 through 35.x. A fix is available in version 36.0.0.
An attacker can exploit this vulnerability to gain unauthorized access to sensitive data and perform actions within the Druid cluster without proper authentication. This could involve data exfiltration, modification of data, or even complete control of the Druid system. The prerequisite for exploitation is that the druid-basic-security extension is enabled, LDAP authentication is configured, and the underlying LDAP server permits anonymous binds. This combination of factors creates a significant attack surface, potentially allowing attackers to bypass security controls entirely. The impact is particularly severe given Druid's use in handling large volumes of data, often containing sensitive information.
This vulnerability was publicly disclosed on 2026-02-10. The CVSS score of 9.5 (CRITICAL) reflects the high severity of the vulnerability. No public proof-of-concept (PoC) code has been publicly released at the time of writing, but the ease of exploitation given the prerequisites suggests a high likelihood of exploitation if a PoC is developed. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.08% (25% percentile)
The primary mitigation is to upgrade Apache Druid to version 36.0.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider temporarily disabling the druid-basic-security extension, but be aware this will remove all security features provided by the extension. As a secondary measure, restrict anonymous binds on the LDAP server to prevent attackers from leveraging this bypass. Regularly review LDAP configuration to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to authenticate without valid credentials and verifying that authentication fails.
Disable anonymous bind on your LDAP server. Update Apache Druid to version 36.0.0 or later, which includes fixes to correctly reject anonymous LDAP bind attempts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23906 is a critical vulnerability in Apache Druid versions 0.17.0 through 35.x that allows attackers to bypass authentication if druid-basic-security is enabled, LDAP is configured, and the LDAP server permits anonymous binds.
You are affected if you are using Apache Druid versions 0.17.0 through 35.0.1 and have the druid-basic-security extension enabled with LDAP authentication and an LDAP server allowing anonymous binds.
Upgrade Apache Druid to version 36.0.0 or later. As a temporary workaround, disable the druid-basic-security extension, but be aware this removes all security features.
While no public exploits are currently known, the ease of exploitation suggests a high likelihood of exploitation if a proof-of-concept is developed.
Refer to the official Apache Druid security advisory for details: [https://druid.apache.org/security/CVE-2026-23906](https://druid.apache.org/security/CVE-2026-23906)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.