Apache Druid Vulnerable to Authentication Bypass

An attacker can exploit this vulnerability to gain unauthorized access to sensitive data and perform actions within the Druid cluster without proper authentication. This could involve data exfiltration, modification of data, or even complete control of the Druid system. The prerequisite for exploitation is that the druid-basic-security extension is enabled, LDAP authentication is configured, and the underlying LDAP server permits anonymous binds. This combination of factors creates a significant attack surface, potentially allowing attackers to bypass security controls entirely. The impact is particularly severe given Druid's use in handling large volumes of data, often containing sensitive information.

Organizations using Apache Druid for data analytics, particularly those relying on LDAP authentication and the druid-basic-security extension, are at risk. Shared hosting environments where multiple Druid instances share the same LDAP server are especially vulnerable, as a compromise of one instance could potentially impact others.

• linux / server: Monitor Druid logs for authentication attempts without valid credentials. Use journalctl -u druid to filter for authentication failures.

journalctl -u druid | grep "Authentication failed" 

• java / platform: Inspect Druid's security configuration files to ensure druid-basic-security is enabled and LDAP authentication is configured. Check LDAP server logs for anonymous bind attempts. • generic web: Attempt to access Druid endpoints without authentication. If the LDAP server allows anonymous binds, authentication should fail, not succeed.

1. 2026-02-10Disclosure

   disclosure

1. 予約済み2026-01-19
2. 公開日2026-02-10
3. 更新日2026-02-22
4. EPSS 更新日2026-03-23

The primary mitigation is to upgrade Apache Druid to version 36.0.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider temporarily disabling the druid-basic-security extension, but be aware this will remove all security features provided by the extension. As a secondary measure, restrict anonymous binds on the LDAP server to prevent attackers from leveraging this bypass. Regularly review LDAP configuration to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to authenticate without valid credentials and verifying that authentication fails.