CVE-2025-26795: 
Java vulnerability analysis and mitigation

A moderate severity vulnerability has been identified in the Apache IoTDB JDBC driver, tracked as CVE-2025-26795. The vulnerability involves the exposure of sensitive information to unauthorized actors and the insertion of sensitive information into log files. The affected versions include Apache IoTDB JDBC driver versions 0.10.0 through 1.3.3 and 2.0.1-beta before 2.0.2. The vulnerability was discovered by Kyler Katz and was publicly disclosed on May 14, 2025 (Openwall List).

The vulnerability is classified under two Common Weakness Enumeration (CWE) categories: CWE-532 (Insertion of Sensitive Information into Log File) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue specifically relates to the handling of sensitive information within the JDBC driver's functionality, which could lead to unauthorized information disclosure and logging of sensitive data (NVD).

The vulnerability could result in the exposure of sensitive information to unauthorized actors and the potential logging of sensitive data in system log files. This poses a significant risk for organizations using Apache IoTDB for managing industrial IoT time-series data, as it could lead to unauthorized access to sensitive information (Security Online).

Users are strongly advised to upgrade to Apache IoTDB JDBC driver version 2.0.2 or 1.3.4, which contain fixes for this vulnerability. These updates have been specifically released to address the identified security issues (Openwall List).