A vulnerability, which was classified as problematic, has been found in Apache IoTDB up to 2.0.7. Impacted is an unknown function of the component Thrift RPC Query Handler. This manipulation of the argument sessionId causes improper authorization.

This vulnerability is tracked as CVE-2026-24013. The attack is possible to be carried out remotely. No exploit exists.