CVE-2026-23906: Critical Apache Druid LDAP Authentication Bypass Enables Remote Full Cluster Takeover

Apache Druid – LDAP Authentication Bypass Leading to Full Cluster Compromise

Vulnerability Overview

CVE ID: CVE-2026-23906
Product: Apache Druid
Affected Component: druid-basic-security extension (LDAP authentication module)
Affected Versions: 0.17.0 through 35.x
Fixed Version: 36.0.0 and later
CVSS v3.1 Score: 9.8 (Critical)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
Exploitability: High (remote, unauthenticated)
Exploit Availability: No official public exploit released at time of disclosure; exploitation is technically simple under misconfigured LDAP environments

Executive Summary

A critical authentication bypass vulnerability was identified in Apache Druid when LDAP authentication is enabled through the druid-basic-security extension and the connected LDAP server allows anonymous binds.

Under these conditions, authentication validation may be incorrectly interpreted as successful even when an empty password is supplied. As a result, an unauthenticated remote attacker may impersonate any existing Druid user account. If privileged accounts are targeted, full cluster compromise becomes possible.

This issue does not affect Druid installations that:

Do not use LDAP authentication
Have anonymous bind disabled on the LDAP server
Have upgraded to version 36.0.0 or later

Technical Root Cause

The vulnerability exists in the interaction between Druid’s LDAP authentication mechanism and LDAP server configurations that permit anonymous bind operations.

In LDAP:

An anonymous bind allows a client to connect without credentials.
Some directory servers permit read-only access without authentication.

During authentication flow:

A username is submitted to Druid.
Druid attempts to validate credentials via LDAP bind.
If the LDAP server permits anonymous bind, the bind operation may succeed even if the password field is empty.
Improper validation logic results in Druid accepting this as successful authentication.

The flaw is not in LDAP itself but in how Druid interprets the bind response.

Impact Assessment

If successfully exploited, the following may occur:

Unauthorized access to Druid Web Console
Execution of SQL queries via HTTP API
Data exfiltration
Ingestion task manipulation
Configuration tampering
Service disruption
Potential persistence via ingestion or extension mechanisms

If administrative accounts are impersonated, the entire Druid cluster can be controlled.

Because Druid is commonly deployed in analytics pipelines, compromise may expose:

Business intelligence data
Customer datasets
Operational metrics
Internal reporting systems

Attack Preconditions

Exploitation requires all of the following:

druid-basic-security extension enabled
LDAP authentication configured
LDAP server configured to allow anonymous bind
Target username exists in LDAP

No credentials are required.

Attack Scenario

An attacker performs the following:

Identifies a Druid instance exposed via HTTP.
Attempts authentication using:
- Valid username
- Empty password
If LDAP permits anonymous bind, authentication may succeed.
Authenticated session token is received.
API endpoints are accessed with authenticated privileges.

No exploit framework is required.

Proof-of-Concept (Educational)

The following demonstrates conceptually how exploitation may occur in vulnerable environments.

HTTP Authentication Attempt Example

POST /druid-ext/basic-security/authentication/login HTTP/1.1
Host: target-druid-server
Content-Type: application/json

{
  "username": "admin",
  "password": ""
}

If vulnerable, response may include authentication success token.

LDAP Simple Bind Example (Command-Line Simulation)

ldapsearch -x -D "uid=admin,ou=users,dc=example,dc=com" -w "" -H ldap://ldap-server

If anonymous bind is allowed, LDAP may return success even with empty password.

This is provided strictly for defensive validation and educational purposes.

Indicators of Exploitation

LDAP Server Logs

Look for:

Bind DN empty
Simple bind with zero-length password
Anonymous bind operations originating from Druid server IP

Example patterns:

BIND dn="" method=128
simple bind successful

Druid Logs

Search for:

Authentication success entries without corresponding failed attempts
Login success from unusual IPs
Rapid API calls following login
Access to administrative endpoints

Detection Guidance

Log Sources Required

LDAP directory server logs
Druid authentication logs
Druid request/access logs
Reverse proxy logs
Network monitoring logs

Splunk Detection Queries

Detect Anonymous LDAP Binds

index=ldap_logs ("BIND dn=\"\"" OR "anonymous bind" OR "simple bind successful") 
| stats count by src_ip, _time

Detect Successful Druid Authentication with Empty Password Attempts

index=druid_logs "Authentication succeeded" 
| stats count by username, src_ip

Correlate LDAP Anonymous Bind with Druid Login

index=ldap_logs "BIND dn=\"\"" 
| rename src_ip as ip 
| join ip 
    [ search index=druid_logs "Authentication succeeded" 
      | rename client_ip as ip ]

Detect Suspicious Administrative Activity

index=druid_logs (uri="/druid/indexer/v1/*" OR uri="/druid/coordinator/*") 
| stats count by username, client_ip

Behavioral Detection Strategy

Focus should be placed on:

LDAP simple binds without credentials
New login IP addresses
Authentication without password retries
Administrative API access immediately after authentication
Unusual ingestion or deletion operations

Correlating LDAP bind logs with Druid authentication logs provides highest detection fidelity.

Risk Evaluation

Factor	Risk Level
Remote Exploitable	Yes
Authentication Required	No
User Interaction	No
Complexity	Low
Privilege Escalation	Possible
Data Exposure	High
Service Disruption	High

This vulnerability carries near-maximum severity because exploitation is simple and impact is total.

Mitigation and Remediation

Immediate Mitigation

Disable anonymous bind on LDAP server.
Restrict LDAP server access to trusted systems only.
Monitor for suspicious binds.
Temporarily restrict high-privilege accounts.
Rotate credentials if exploitation suspected.

Permanent Fix

Upgrade Apache Druid to version 36.0.0 or later.

Official Download and Upgrade Source:

https://druid.apache.org/downloads

Upgrade should be tested in staging before production deployment.

Post-Compromise Actions

If exploitation is suspected:

Preserve logs immediately.
Identify affected accounts.
Rotate all credentials.
Rebuild affected nodes if integrity cannot be guaranteed.
Audit ingestion pipelines.
Validate cluster configuration.
Review access tokens issued during vulnerable period.

Hardening Recommendations

Disable LDAP anonymous bind permanently.
Enforce LDAPS (TLS encryption).
Implement role-based access control.
Restrict Druid admin endpoints to internal networks.
Enable centralized logging.
Deploy alerting for authentication anomalies.
Periodically audit LDAP configuration.

Strategic Security Considerations

This vulnerability demonstrates the risks introduced by:

Trusting external authentication systems without strict validation
Allowing legacy LDAP configurations
Relying on default directory settings
Insufficient authentication auditing

Security posture must include validation of upstream authentication responses, not only successful return codes.

Final Takeaway

CVE-2026-23906 represents a critical authentication bypass in Apache Druid environments using LDAP with anonymous bind enabled. Exploitation is straightforward, requires no credentials, and may result in full cluster compromise.

Immediate action is recommended:

Disable anonymous LDAP bind.
Upgrade to Druid 36.0.0 or later.
Implement detection rules.
Review cluster access controls.

This vulnerability should be treated as high priority in all affected environments.