Druid
This hub aggregates every CVE we track for Druid, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.
13
CVEs tracked
2
Critical
3
High
0
In CISA KEV
Severity distribution
MEDIUM8HIGH3CRITICAL2
Monthly trend
0
2
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
2024-082026-07
Latest CVEs
The 13 most recently published vulnerabilities affecting Druid.
- CVE-2026-23906Apache Druid: Authentication Bypass via LDAP Anonymous Bind9.8
- CVE-2025-59390Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.9.8
- CVE-2025-27888Apache Druid: Server-Side Request Forgery and Cross-Site Scripting5.4
- CVE-2024-45537Apache Druid: Users can provide MySQL JDBC properties not on allow list6.5
- CVE-2024-45384Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack5.3
- CVE-2022-28889Clickjacking in the web console4.3
- CVE-2021-44791Reflected XSS on certain HTTP endpoints6.1
- CVE-2021-33800In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.7.5
- CVE-2021-36749Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)6.5
- CVE-2021-26920Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended6.5
- CVE-2021-26919Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.8.8
- CVE-2021-25646Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.8.8
- CVE-2020-1958When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines ...6.5
Product normalization is registry-driven with AI assist and human review. How it works