CVE-2025-26795: 
Java vulnerability analysis and mitigation

A moderate severity vulnerability (CVE-2025-26795) has been identified in the Apache IoTDB JDBC driver. The vulnerability was discovered by Kyler Katz and publicly disclosed on May 14, 2025. It affects Apache IoTDB JDBC driver versions 0.10.0 through 1.3.3 and 2.0.1-beta before 2.0.2. The vulnerability involves the exposure of sensitive information to unauthorized actors and the insertion of sensitive information into log files (Wiz, Openwall List).

The vulnerability is classified under two Common Weakness Enumeration (CWE) categories: CWE-532 (Insertion of Sensitive Information into Log File) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity vulnerability with network accessibility and no required privileges or user interaction (NVD).

The vulnerability could result in the exposure of sensitive information to unauthorized actors and the potential logging of sensitive data in system log files. This poses a significant risk for organizations using Apache IoTDB for managing industrial IoT time-series data, as it could lead to unauthorized access to sensitive information (Wiz).

Users are strongly advised to upgrade to Apache IoTDB JDBC driver version 2.0.2 or 1.3.4, which contain fixes for this vulnerability. These updates have been specifically released to address the identified security issues (Openwall List).