Skip to content

CVE lookup

CVE-2026-23906

Pruva has a verified reproduction for CVE-2026-23906: Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.. The canonical evidence record is REPRO-2026-00087.

REPRO

REPRO-2026-00087

Package

org.apache.druid.extensions:druid-basic-security · Maven

Severity

CRITICAL

Status

published