Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
Description
Apache Druid 0.20.0 and earlier allows authenticated users to override server configuration and execute arbitrary JavaScript, leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Druid 0.20.0 and earlier allows authenticated users to override server configuration and execute arbitrary JavaScript, leading to remote code execution.
Vulnerability
Details
The vulnerability resides in Apache Druid's feature that allows execution of user-provided JavaScript code in requests. This feature is disabled by default but in Druid 0.20.0 and earlier, an authenticated user can send a specially-crafted request that overrides this configuration and forces Druid to run the JavaScript, regardless of server settings [1][2].
Exploitation
To exploit, an attacker must have authenticated access to the Druid cluster. They can then craft a request that includes JavaScript code, which the Druid server will execute. The attacker does not need any special privileges other than being a legitimate user [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the Druid server with the privileges of the server process. This can lead to full compromise of the Druid node and potentially the entire cluster.
Mitigation
Users should upgrade to Druid 0.20.1, which fixes the issue. Additionally, network access to Druid cluster machines should be restricted to trusted hosts only [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.druid:druidMaven | < 0.20.1 | 0.20.1 |
Affected products
2- Apache Software Foundation/Apache Druidv5Range: 0.20.0 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
31- github.com/advisories/GHSA-wrqf-rrrw-w3mgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25646ghsaADVISORY
- packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.htmlghsax_refsource_MISCWEB
- www.openwall.com/lists/oss-security/2021/01/29/6ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.