GHSA lookup
GHSA-Q672-HFC7-G833
Pruva has a verified reproduction for GHSA-Q672-HFC7-G833: Apache Druid basic security LDAP authenticator can be bypassed when the LDAP server allows anonymous binds, permitting login with any existing username and an empty password.. The canonical evidence record is REPRO-2026-00087.
REPRO
REPRO-2026-00087
Package
org.apache.druid.extensions:druid-basic-security · Maven
Severity
CRITICAL
Status
published