Hive

This hub aggregates every CVE we track for Hive, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Hive.

• CVE-2025-59874HCL Hive Telco Observability is affected by  a Required directives missing from the CSP .8.1Jun 4, 2026
• CVE-2026-8757adenhq hive Delete Request routes_sessions.py _read_events_tail path traversal7.3May 17, 2026
• CVE-2025-62728Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs5.4Nov 26, 2025
• CVE-2024-29869Apache Hive: Credentials file created with non restrictive permissions5.5Jan 28, 2025
• CVE-2024-23953Apache Hive: Timing Attack Against Signature in LLAP util6.5Jan 28, 2025
• CVE-2024-23945Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails5.9Dec 23, 2024
• CVE-2022-41137Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore8.3Dec 5, 2024
• CVE-2023-35701Apache Hive: Arbitrary command execution via JDBC driver6.6May 3, 2024
• CVE-2021-34538Apache Hive Security vulnerability in Hive with UDFs7.5Jul 16, 2022
• CVE-2020-1926Timing attack in Cookie signature verification5.9Mar 16, 2021
• CVE-2020-13949In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.7.5Feb 12, 2021
• CVE-2018-21234Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.9.8May 21, 2020
• CVE-2018-11777In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.8.1Nov 8, 2018
• CVE-2018-1314In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary tabl...4.3Nov 8, 2018
• CVE-2018-1282This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement impleme...9.1Apr 5, 2018