Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23906

CVE-2026-23906: Apache Druid Auth Bypass Vulnerability

CVE-2026-23906 is an authentication bypass vulnerability in Apache Druid affecting versions 0.17.0 through 35.x when LDAP authentication is used. Attackers can gain unauthorized access using empty passwords.

Published:

CVE-2026-23906 Overview

An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.

The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.

Critical Impact

A remote, unauthenticated attacker can gain unauthorized access to Apache Druid clusters, access sensitive data, execute queries, manipulate data, and potentially access administrative interfaces if the bypassed account has elevated privileges—completely compromising the confidentiality, integrity, and availability of the Druid deployment.

Affected Products

  • Apache Druid versions 0.17.0 through 35.x (all versions prior to 36.0.0)
  • Configurations with druid-basic-security extension enabled
  • Environments with LDAP authenticator configured where the underlying LDAP server permits anonymous bind

Discovery Timeline

  • 2026-02-10 - CVE-2026-23906 published to NVD
  • 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2026-23906

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287: Improper Authentication) affects Apache Druid deployments using LDAP-based authentication through the druid-basic-security extension. The flaw allows attackers to completely circumvent authentication controls by exploiting the interaction between Druid's authentication logic and LDAP servers that permit anonymous binds.

The attack requires minimal prerequisites: the druid-basic-security extension must be enabled with an LDAP authenticator configured, and the underlying LDAP server must allow anonymous bind operations. When these conditions are met, an attacker can authenticate as any valid user by simply providing a legitimate username with an empty password.

Root Cause

The root cause lies in the improper handling of LDAP bind responses within Apache Druid's authentication module. When an LDAP server is configured to permit anonymous binds, submitting an empty password results in a successful bind operation from the LDAP server's perspective. Druid's authentication logic fails to distinguish between a successful anonymous bind and a legitimate authenticated bind, incorrectly treating the anonymous bind success as valid user authentication.

This oversight allows the LDAP server's permissive configuration to propagate through to Druid's access control layer, effectively bypassing all credential validation when an empty password is supplied with a valid username.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker with network access to the Apache Druid cluster can exploit this vulnerability through the standard authentication endpoint.

The exploitation process involves:

  1. Identifying a valid username in the Druid system (through enumeration or prior knowledge)
  2. Attempting authentication with the identified username and an empty password
  3. If the LDAP server permits anonymous binds, Druid accepts the authentication
  4. The attacker gains access with the privileges of the targeted user account

This vulnerability is particularly dangerous when targeting administrative accounts, as it can lead to complete compromise of the Druid deployment.

Detection Methods for CVE-2026-23906

Indicators of Compromise

  • Authentication log entries showing successful logins with empty or null password fields
  • Unusual access patterns from external IP addresses to sensitive Druid datasources
  • LDAP server logs showing anonymous bind attempts followed by successful Druid authentications
  • Unexpected query execution or data access from accounts that typically have minimal activity

Detection Strategies

  • Monitor LDAP authentication logs for bind attempts with empty passwords that result in successful Druid access
  • Implement alerting on authentication events where credential length is zero or null
  • Review Druid access logs for authentication success events that lack corresponding valid credential validation
  • Deploy network monitoring to detect authentication attempts from untrusted sources targeting Druid endpoints

Monitoring Recommendations

  • Enable detailed authentication logging in both Druid and the LDAP server to capture credential validation events
  • Configure SIEM rules to correlate anonymous LDAP bind attempts with Druid authentication successes
  • Regularly audit user access patterns and flag accounts with sudden changes in activity or access scope
  • Monitor for bulk data access or administrative operations from newly authenticated sessions

How to Mitigate CVE-2026-23906

Immediate Actions Required

  • Disable anonymous bind on your LDAP server immediately—this prevents the vulnerability from being exploitable without requiring a Druid upgrade
  • Audit LDAP server configurations across all environments to ensure anonymous binds are prohibited
  • Review authentication logs for signs of exploitation and investigate any suspicious authentication events
  • Implement network segmentation to limit access to Druid endpoints from untrusted networks

Patch Information

Apache has released version 36.0.0 which includes fixes to properly reject anonymous LDAP bind attempts. Organizations should upgrade to Apache Druid 36.0.0 or later to receive the permanent fix. The security advisory is available through the Apache Mailing List Thread.

Additional technical details can be found in the Openwall OSS-Security Post.

Workarounds

  • Configure your LDAP server to explicitly deny anonymous bind operations as the primary mitigation
  • Implement additional authentication layers or multi-factor authentication for Druid access
  • Use network access controls to restrict Druid cluster access to trusted networks and IP ranges only
  • Consider implementing a web application firewall (WAF) to detect and block authentication attempts with empty credentials
bash
# LDAP Configuration Example (OpenLDAP - slapd.conf)
# Disable anonymous binds to mitigate CVE-2026-23906
disallow bind_anon

# For OpenLDAP using cn=config (OLC)
# Add to the global config entry:
# dn: cn=config
# changetype: modify
# add: olcDisallows
# olcDisallows: bind_anon

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne