Apache Druid: Authentication Bypass via LDAP Anonymous Bind
Description
Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured * Underlying LDAP server permits anonymous bind
Vulnerability Description
An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.
The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication.
Impact
A remote, unauthenticated attacker can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and availability of the Druid deployment
Mitigation
Immediate Mitigation (No Druid Upgrade Required): * Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is the recommended immediate action.
Resolution * Upgrade Apache Druid to version 36.0.0 or later, which includes fixes to properly reject anonymous LDAP bind attempts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Druid authentication bypass via LDAP anonymous bind allows unauthenticated access to sensitive data and administrative interfaces (CVE-2026-23906).
Vulnerability
CVE-2026-23906 is an authentication bypass vulnerability in Apache Druid affecting versions 0.17.0 through 35.x (prior to 36.0.0) when the druid-basic-security extension is enabled with LDAP authentication [1][2]. The root cause is improper validation of LDAP authentication responses when the underlying LDAP server permits anonymous binds [1]. If an attacker provides an existing username with an empty password, Druid treats the anonymous bind success as valid user authentication, bypassing credential verification [1][2].
Exploitation
Exploitation requires: the druid-basic-security extension enabled, LDAP authenticator configured, and an LDAP server that allows anonymous binds [1][2]. A remote, unauthenticated attacker can supply any valid Druid username and an empty password over the network; if the LDAP server accepts the anonymous bind, Druid incorrectly authenticates the attacker as that user [1][2]. No prior authentication is needed, and the attack does not depend on knowledge of the user's real password [2].
Impact
Successful exploitation grants the attacker unauthorized access to the Druid cluster with the privileges of the bypassed user [1][2]. The attacker can access sensitive data in Druid datasources, execute queries, and potentially modify or delete data. If the impersonated account has administrative privileges, the attacker can also access administrative interfaces, leading to complete compromise of confidentiality, integrity, and availability [1][2].
Mitigation
The Apache Druid project has released version 36.0.0 which fixes the vulnerability [1][2]. Users who cannot upgrade immediately should ensure their LDAP server does not permit anonymous binds, or disable the druid-basic-security extension if LDAP anonymous bind is required for other purposes [1]. No workaround is described for scenarios where the LDAP server configuration cannot be changed [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.druid.extensions:druid-basic-securityMaven | >= 0.17.0, < 36.0.0 | 36.0.0 |
Affected products
2- Apache Software Foundation/Apache Druidv5Range: 0.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-q672-hfc7-g833ghsaADVISORY
- lists.apache.org/thread/2x9rv3kv6t1p577lvq4z0rl0zlt9g4srghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23906ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/09/5ghsaWEB
News mentions
0No linked articles in our index yet.