Hadoop

This hub aggregates every CVE we track for Hadoop, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Librarieson-premlibrary

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

HIGH21MEDIUM8CRITICAL7LOW1

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Hadoop.

CVE-2025-27821HDFS native client: Out of bounds write in URI parser of native HDFS client7.3Jan 26, 2026
CVE-2024-23454Apache Hadoop: Temporary File Local Information Disclosure6.2Sep 25, 2024
CVE-2023-26031Privilege escalation in Apache Hadoop Yarn container-executor binary on Linux systems7.5Nov 16, 2023
CVE-2021-25642Apache Hadoop YARN remote code execution in ZKConfigurationStore of capacity scheduler8.8Aug 25, 2022
CVE-2022-25168Command injection in org.apache.hadoop.fs.FileUtil.unTarUsingTar9.8Aug 4, 2022
CVE-2021-33036Apache Hadoop Privilege escalation vulnerability8.8Jun 15, 2022
CVE-2021-37404Heap buffer overflow in libhdfs native library9.8Jun 13, 2022
CVE-2022-26612Arbitrary file write in FileUtil#unpackEntries on Windows9.8Apr 7, 2022
CVE-2020-9492In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.8.8Jan 26, 2021
CVE-2018-11764Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.8.8Oct 21, 2020
CVE-2018-11765In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through...7.5Sep 30, 2020
CVE-2012-2945Hadoop 1.0.3 contains a symlink vulnerability.7.5Oct 28, 2019
CVE-2019-17195Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authen...9.8Oct 15, 2019
CVE-2018-11768In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.7.5Oct 4, 2019
CVE-2018-8029In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.8.8May 30, 2019

Product normalization is registry-driven with AI assist and human review. How it works