CVE-2018-11764
Description
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Hadoop 3.0.0-alpha4 through 3.0.0 contains a broken web endpoint authentication check allowing authenticated users to impersonate any user.
Vulnerability
Overview
CVE-2018-11764 describes a broken authentication check in Apache Hadoop's web endpoints, affecting versions 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0 [1]. The root cause is a flaw in the logic that validates user identity on the web UI or REST API endpoints, allowing a bypass of the intended proxy user restrictions. Even when no proxy user configuration is set, an authenticated attacker can exploit this to impersonate arbitrary users.
Exploitation
An attacker must first have valid authentication to a Hadoop cluster. Once authenticated, they can craft requests that exploit the broken endpoint check to present themselves as another user. No additional privileges or special network access are required beyond being an authenticated user of the system.
Impact
Successful exploitation allows the attacker to perform actions on behalf of any other user, including administrators. This can lead to unauthorized data access, modification of configurations, or further privilege escalation within the Hadoop cluster.
Mitigation
Apache has patched this vulnerability in later releases. Users of the affected versions should upgrade to a fixed Hadoop release. No workaround is documented, and the vulnerability has not been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-mainMaven | >= 3.0.0-alpha4, < 3.0.1 | 3.0.1 |
org.apache.hadoop:hadoop-mainMaven | >= 3.0.0-beta1, < 3.0.1 | 3.0.1 |
org.apache.hadoop:hadoop-mainMaven | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
2- Apache/Hadoopdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4fh8-pm7g-pmxqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11764ghsaADVISORY
- lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3Eghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20201103-0003ghsaWEB
- security.netapp.com/advisory/ntap-20201103-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.