Skip to content

GHSA lookup

GHSA-Q672-HFC7-G833

Pruva has a verified reproduction for GHSA-Q672-HFC7-G833: Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.. The canonical evidence record is REPRO-2026-00087.

REPRO

REPRO-2026-00087

Package

org.apache.druid.extensions:druid-basic-security · Maven

Severity

CRITICAL

Status

published