Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB.
The pipe processor reads a fully
qualified Java class name and
instantiates it using Class.forName().newInstance() without any
validation or allowlisting.
This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.
Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apache
Apache iotdb |
|
| Vendors & Products |
Apache
Apache iotdb |
Fri, 10 Jul 2026 08:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue. | |
| Title | Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC | |
| Weaknesses | CWE-470 | |
| References |
|
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-10T07:13:27.770Z
Reserved: 2026-04-08T08:42:56.547Z
Link: CVE-2026-40008
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T09:54:45Z