CVE-2026-24012 Overview
CVE-2026-24012 is an Uncontrolled Resource Consumption vulnerability [CWE-400] in Apache IoTDB affecting versions from 1.3.3 before 2.0.8. The flaw resides in a query interface that fails to enforce reasonable limits on the time span and aggregation interval of queries. An unauthenticated remote attacker can craft a request with extreme parameters, such as a very large time range combined with a minimal aggregation interval. The DataNode then builds an oversized result set in memory, exhausts the Java heap, and crashes the process. Apache has released version 2.0.8 to remediate the issue.
Critical Impact
A single network-reachable request can crash Apache IoTDB DataNode processes, disrupting time-series data availability for connected industrial, IoT, and analytics workloads.
Affected Products
- Apache IoTDB 1.3.3 through versions prior to 2.0.8
- Deployments exposing DataNode query interfaces to untrusted networks
- Downstream IoT and time-series analytics stacks built on affected IoTDB versions
Discovery Timeline
- 2026-07-06 - CVE-2026-24012 published to NVD
- 2026-07-06 - Apache Security Announcement published to the Apache dev mailing list
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-24012
Vulnerability Analysis
Apache IoTDB is a high-performance time-series database frequently deployed in IoT and industrial telemetry environments. The DataNode component handles storage and query execution. This vulnerability arises when a query interface accepts user-supplied time range and aggregation interval parameters without enforcing upper bounds or resource ceilings. When those parameters are set to extreme values, the query planner materializes an enormous set of aggregation buckets in memory. The Java heap fills, garbage collection thrashes, and the DataNode Java Virtual Machine (JVM) terminates with an OutOfMemoryError. The result is a denial-of-service condition against availability, while confidentiality and integrity are not directly impacted.
Root Cause
The root cause is missing input validation on query parameters that drive memory allocation. The affected interface does not validate the ratio between the query time span and the aggregation interval, nor does it cap the total number of buckets or intermediate rows produced. Because bucket count grows linearly with time span and inversely with interval size, a malicious request can push memory demand far beyond available heap capacity before any result is returned.
Attack Vector
Exploitation requires network access to an exposed IoTDB query endpoint. No authentication, user interaction, or prior privileges are required per the CVSS vector. An attacker submits a single crafted query specifying, for example, a multi-decade time range combined with a sub-second aggregation interval. The DataNode attempts to allocate the resulting bucket structures, exhausts the JVM heap, and crashes. Repeated requests can prevent recovery and cause sustained outages across a cluster.
No public proof-of-concept exploit or CISA Known Exploited Vulnerabilities (KEV) listing is available at the time of publication. The EPSS probability is approximately 0.55%.
Detection Methods for CVE-2026-24012
Indicators of Compromise
- DataNode JVM logs containing java.lang.OutOfMemoryError: Java heap space correlated with query execution stack traces
- Repeated DataNode process restarts or crash loops without corresponding administrative activity
- Query audit records showing time ranges spanning years combined with millisecond or second-level aggregation intervals
Detection Strategies
- Inspect IoTDB query logs for aggregation queries whose (time_range / interval) ratio exceeds an operationally reasonable threshold
- Correlate DataNode heap-exhaustion events with the source IP address and session that issued the preceding queries
- Baseline normal query patterns and alert on statistical outliers in query duration, memory usage, and result cardinality
Monitoring Recommendations
- Enable JVM heap and garbage collection metrics for every DataNode and alert on sustained pressure or full GC storms
- Forward IoTDB query logs and JVM crash logs to a centralized SIEM or data lake for correlation with network telemetry
- Monitor availability of the IoTDB cluster with synthetic health checks that fail fast when DataNodes restart
How to Mitigate CVE-2026-24012
Immediate Actions Required
- Upgrade Apache IoTDB to version 2.0.8 or later on all DataNode and ConfigNode instances
- Restrict network access to IoTDB query endpoints so that only trusted application tiers can reach them
- Review query logs from the past 30 days for extreme time-range and interval combinations indicative of probing
Patch Information
Apache has released Apache IoTDB 2.0.8, which enforces limits on query time spans and aggregation intervals. Refer to the Apache Security Announcement and the Openwall OSS-Security discussion for release details.
Workarounds
- Place a reverse proxy or API gateway in front of IoTDB that validates and caps time_range and interval parameters before forwarding requests
- Require authentication on all IoTDB endpoints and remove any anonymous access exposed to untrusted networks
- Isolate DataNode instances on a dedicated network segment with strict allow-lists limiting client sources
# Example: block direct external access to the IoTDB DataNode query port
# and only allow the internal application subnet to reach it
iptables -A INPUT -p tcp --dport 6667 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

