Vulnerability DatabaseCVE-2026-23906

CVE-2026-23906:
Java vulnerability analysis and mitigation

Affected Products and Versions

Apache Druid
Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0)
Prerequisites: * druid-basic-security extension enabled
LDAP authenticator configured
Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker can:
Gain unauthorized access to the Apache Druid cluster
Access sensitive data stored in Druid datasources
Execute queries and potentially manipulate data
Access administrative interfaces if the bypassed account has elevated privileges
Completely compromise the confidentiality, integrity, and availability of the Druid deployment Mitigation Immediate Mitigation (No Druid Upgrade Required):
Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action. Resolution
Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

9.8

Score

Published February 10, 2026

Severity CRITICAL

CNA Score 9.8

Affected Technologies

Java
Apache Druid

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 24.6

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

org.apache.druid.extensions:druid-basic-security
druid

Sources

GitHub Advisory Database
- Maven Severity CRITICALHas FixAdded at: Feb 11, 2026
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Feb 12, 2026
VulnCheck NVD++
- Linux Severity CRITICALHas FixAdded at: Feb 11, 2026
NVD
- Linux Severity CRITICALHas FixAdded at: Feb 12, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-34361	CRITICAL	9.3	Java	ca.uhn.hapi.fhir:org.hl7.fhir.validation	No	Yes	Mar 30, 2026
CVE-2026-34214	HIGH	7.7	Java	trino	No	Yes	Mar 29, 2026
CVE-2026-34359	HIGH	7.4	Java	ca.uhn.hapi.fhir:org.hl7.fhir.core	No	Yes	Mar 30, 2026
CVE-2026-34237	MEDIUM	6.1	Java	io.modelcontextprotocol.sdk:mcp-core	No	Yes	Mar 30, 2026
CVE-2026-34360	MEDIUM	5.8	Java	ca.uhn.hapi.fhir:org.hl7.fhir.core	No	Yes	Mar 30, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2026-23906: Java vulnerability analysis and mitigation