A vulnerability was found in Apache IoTDB up to 2.0.9 and classified as critical. This impacts the function Class.forName of the component Pipe Processor. The manipulation results in use of externally-controlled input to select classes or code.

This vulnerability is known as CVE-2026-40008. It is possible to launch the attack remotely. No exploit is available.