SCA: security update for org.apache.druid.extensions:druid-basic-security (GHSA-q672-hfc7-g833)

critical Tenable Self-Hosted Container Security Plugin ID 437674

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Affected Products and Versions * Apache Druid * Affected Versions: 0.17.0 through 35.x (all versions prior
to 36.0.0) * Prerequisites: * druid-basic-security extension enabled * LDAP authenticator configured *
Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass
vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP
authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can
bypass authentication by providing an existing username with an empty password. This allows unauthorized
access to otherwise restricted Druid resources without valid credentials. The vulnerability stems from
improper validation of LDAP authentication responses when anonymous binds are permitted, effectively
treating anonymous bind success as valid user authentication. Impact A remote, unauthenticated attacker
can: * Gain unauthorized access to the Apache Druid cluster * Access sensitive data stored in Druid
datasources * Execute queries and potentially manipulate data * Access administrative interfaces if the
bypassed account has elevated privileges * Completely compromise the confidentiality, integrity, and
availability of the Druid deployment Mitigation Immediate Mitigation (No Druid Upgrade Required): *
Disable anonymous bind on your LDAP server. This prevents the vulnerability from being exploitable and is
the recommended immediate action. Resolution * Upgrade Apache Druid to version 36.0.0 or later, which
includes fixes to properly reject anonymous LDAP bind attempts. (CVE-2026-23906)

See Also

https://github.com/advisories/GHSA-q672-hfc7-g833

Plugin Details

Severity: Critical

ID: 437674

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/10/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.48

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-23906

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/10/2026

Vulnerability Publication Date: 2/10/2026

Reference Information

CVE: CVE-2026-23906

cwe: CWE-287