CVE-2026-23906: Apache Druid Auth Bypass Vulnerability

CVE-2026-23906 Overview

An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.

The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.

Critical Impact
A remote, unauthenticated attacker can gain unauthorized access to Apache Druid clusters, access sensitive data, execute queries, manipulate data, and potentially access administrative interfaces if the bypassed account has elevated privileges—completely compromising the confidentiality, integrity, and availability of the Druid deployment.

Affected Products

Apache Druid versions 0.17.0 through 35.x (all versions prior to 36.0.0)
Configurations with druid-basic-security extension enabled
Environments with LDAP authenticator configured where the underlying LDAP server permits anonymous bind

Discovery Timeline

2026-02-10 - CVE-2026-23906 published to NVD
2026-02-12 - Last updated in NVD database

Technical Details for CVE-2026-23906

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287: Improper Authentication) affects Apache Druid deployments using LDAP-based authentication through the druid-basic-security extension. The flaw allows attackers to completely circumvent authentication controls by exploiting the interaction between Druid's authentication logic and LDAP servers that permit anonymous binds.

The attack requires minimal prerequisites: the druid-basic-security extension must be enabled with an LDAP authenticator configured, and the underlying LDAP server must allow anonymous bind operations. When these conditions are met, an attacker can authenticate as any valid user by simply providing a legitimate username with an empty password.

Root Cause

The root cause lies in the improper handling of LDAP bind responses within Apache Druid's authentication module. When an LDAP server is configured to permit anonymous binds, submitting an empty password results in a successful bind operation from the LDAP server's perspective. Druid's authentication logic fails to distinguish between a successful anonymous bind and a legitimate authenticated bind, incorrectly treating the anonymous bind success as valid user authentication.

This oversight allows the LDAP server's permissive configuration to propagate through to Druid's access control layer, effectively bypassing all credential validation when an empty password is supplied with a valid username.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker with network access to the Apache Druid cluster can exploit this vulnerability through the standard authentication endpoint.

The exploitation process involves:

Identifying a valid username in the Druid system (through enumeration or prior knowledge)
Attempting authentication with the identified username and an empty password
If the LDAP server permits anonymous binds, Druid accepts the authentication
The attacker gains access with the privileges of the targeted user account

This vulnerability is particularly dangerous when targeting administrative accounts, as it can lead to complete compromise of the Druid deployment.

Detection Methods for CVE-2026-23906

Indicators of Compromise

Authentication log entries showing successful logins with empty or null password fields
Unusual access patterns from external IP addresses to sensitive Druid datasources
LDAP server logs showing anonymous bind attempts followed by successful Druid authentications
Unexpected query execution or data access from accounts that typically have minimal activity

Detection Strategies

Monitor LDAP authentication logs for bind attempts with empty passwords that result in successful Druid access
Implement alerting on authentication events where credential length is zero or null
Review Druid access logs for authentication success events that lack corresponding valid credential validation
Deploy network monitoring to detect authentication attempts from untrusted sources targeting Druid endpoints

Monitoring Recommendations

Enable detailed authentication logging in both Druid and the LDAP server to capture credential validation events
Configure SIEM rules to correlate anonymous LDAP bind attempts with Druid authentication successes
Regularly audit user access patterns and flag accounts with sudden changes in activity or access scope
Monitor for bulk data access or administrative operations from newly authenticated sessions

How to Mitigate CVE-2026-23906

Immediate Actions Required

Disable anonymous bind on your LDAP server immediately—this prevents the vulnerability from being exploitable without requiring a Druid upgrade
Audit LDAP server configurations across all environments to ensure anonymous binds are prohibited
Review authentication logs for signs of exploitation and investigate any suspicious authentication events
Implement network segmentation to limit access to Druid endpoints from untrusted networks

Patch Information

Apache has released version 36.0.0 which includes fixes to properly reject anonymous LDAP bind attempts. Organizations should upgrade to Apache Druid 36.0.0 or later to receive the permanent fix. The security advisory is available through the Apache Mailing List Thread.

Additional technical details can be found in the Openwall OSS-Security Post.

Workarounds

Configure your LDAP server to explicitly deny anonymous bind operations as the primary mitigation
Implement additional authentication layers or multi-factor authentication for Druid access
Use network access controls to restrict Druid cluster access to trusted networks and IP ranges only
Consider implementing a web application firewall (WAF) to detect and block authentication attempts with empty credentials

bash

# LDAP Configuration Example (OpenLDAP - slapd.conf)
# Disable anonymous binds to mitigate CVE-2026-23906
disallow bind_anon

# For OpenLDAP using cn=config (OLC)
# Add to the global config entry:
# dn: cn=config
# changetype: modify
# add: olcDisallows
# olcDisallows: bind_anon

CVE-2026-23906 Overview

The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.

Critical Impact
A remote, unauthenticated attacker can gain unauthorized access to Apache Druid clusters, access sensitive data, execute queries, manipulate data, and potentially access administrative interfaces if the bypassed account has elevated privileges—completely compromising the confidentiality, integrity, and availability of the Druid deployment.

Affected Products

Apache Druid versions 0.17.0 through 35.x (all versions prior to 36.0.0)
Configurations with druid-basic-security extension enabled
Environments with LDAP authenticator configured where the underlying LDAP server permits anonymous bind

Discovery Timeline

2026-02-10 - CVE-2026-23906 published to NVD
2026-02-12 - Last updated in NVD database

Technical Details for CVE-2026-23906

Vulnerability Analysis

Root Cause

Attack Vector

The exploitation process involves:

Identifying a valid username in the Druid system (through enumeration or prior knowledge)
Attempting authentication with the identified username and an empty password
If the LDAP server permits anonymous binds, Druid accepts the authentication
The attacker gains access with the privileges of the targeted user account

This vulnerability is particularly dangerous when targeting administrative accounts, as it can lead to complete compromise of the Druid deployment.

Detection Methods for CVE-2026-23906

Indicators of Compromise

Authentication log entries showing successful logins with empty or null password fields
Unusual access patterns from external IP addresses to sensitive Druid datasources
LDAP server logs showing anonymous bind attempts followed by successful Druid authentications
Unexpected query execution or data access from accounts that typically have minimal activity

Detection Strategies

Monitor LDAP authentication logs for bind attempts with empty passwords that result in successful Druid access
Implement alerting on authentication events where credential length is zero or null
Review Druid access logs for authentication success events that lack corresponding valid credential validation
Deploy network monitoring to detect authentication attempts from untrusted sources targeting Druid endpoints

Monitoring Recommendations

Enable detailed authentication logging in both Druid and the LDAP server to capture credential validation events
Configure SIEM rules to correlate anonymous LDAP bind attempts with Druid authentication successes
Regularly audit user access patterns and flag accounts with sudden changes in activity or access scope
Monitor for bulk data access or administrative operations from newly authenticated sessions

How to Mitigate CVE-2026-23906

Immediate Actions Required

Disable anonymous bind on your LDAP server immediately—this prevents the vulnerability from being exploitable without requiring a Druid upgrade
Audit LDAP server configurations across all environments to ensure anonymous binds are prohibited
Review authentication logs for signs of exploitation and investigate any suspicious authentication events
Implement network segmentation to limit access to Druid endpoints from untrusted networks

Patch Information

Additional technical details can be found in the Openwall OSS-Security Post.

Workarounds

Configure your LDAP server to explicitly deny anonymous bind operations as the primary mitigation
Implement additional authentication layers or multi-factor authentication for Druid access
Use network access controls to restrict Druid cluster access to trusted networks and IP ranges only
Consider implementing a web application firewall (WAF) to detect and block authentication attempts with empty credentials

bash

# LDAP Configuration Example (OpenLDAP - slapd.conf)
# Disable anonymous binds to mitigate CVE-2026-23906
disallow bind_anon

# For OpenLDAP using cn=config (OLC)
# Add to the global config entry:
# dn: cn=config
# changetype: modify
# add: olcDisallows
# olcDisallows: bind_anon

CVE-2026-23906: Apache Druid Auth Bypass Vulnerability

CVE-2026-23906 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23906

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23906

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23906

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-23906: Apache Druid Auth Bypass Vulnerability

CVE-2026-23906 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23906

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23906

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23906

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform