THE article reports that CVE-2026-23906 is an authentication bypass flaw in Apache Druid that arises from how the druid-basic-security extension handles LDAP authentication, specifically when an LDAP server allows anonymous binds. According to The Apache Software Foundation, the vulnerability lets a remote, unauthenticated attacker bypass authentication by supplying an existing username with an empty password, potentially gaining the permissions of the impersonated user.
It notes the impact as severe, with attackers able to read data, manipulate queries, or access administrative interfaces if privileges exist, effectively threatening the deployment’s confidentiality and integrity. Affected versions are 0.17.0 through 35.x, all prior to 36.0.0, with exploitation requiring a configured druid-basic-security extension, an LDAP authenticator, and anonymous binds. The Apache team released Druid 36.0.0 to address the issue, and a workaround for those unable to upgrade is to disable anonymous bind on the LDAP server.