CVE-2020-26168
Description
Hazelcast IMDG and Jet Enterprise LDAP authentication bypasses password verification when a system-user-dn is used, allowing invalid passwords.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hazelcast IMDG and Jet Enterprise LDAP authentication bypasses password verification when a system-user-dn is used, allowing invalid passwords.
Vulnerability
The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, does not properly verify the password in some system-user-dn scenarios. The flaw affects versions where system-user-dn is configured for LDAP authentication, allowing authentication without correct password validation [1].
Exploitation
An attacker with network access to a Hazelcast cluster that uses LDAP authentication with a configured system-user-dn can bypass password verification. The attacker does not need valid credentials; they can present any arbitrary password and be authenticated as the LDAP user. No prior authentication or special privileges are required [1].
Impact
Successful exploitation allows an attacker to authenticate to the Hazelcast cluster as a valid LDAP user without knowing the correct password. This can lead to unauthorized access to data, operations, or cluster resources depending on the user's permissions. The integrity and confidentiality of the system could be compromised [1].
Mitigation
Hazelcast released fixed versions: IMDG Enterprise 4.0.3 and later; Jet Enterprise 4.2.8 and later. Users should upgrade to these or newer versions. If upgrading is not immediately possible, disable the use of system-user-dn in LDAP configurations as a workaround [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Hazelcast/IMDG Enterprisedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- docs.hazelcast.org/docs/ern/index.htmlmitrex_refsource_MISC
- hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypassmitrex_refsource_CONFIRM
- hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypassmitrex_refsource_CONFIRM
- jet-start.sh/blog/2020/10/23/jet-43-is-releasedmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.