Critical authentication bypass vulnerability reported in Apache Pinot
Take action: If you are using Apache Pinot, first make sure it's isolated from the internet and accessible only from trusted networks. Then disable Groovy scripts if they aren't absolutely necessary and plan a quick patch. The patch may be complex, so do all the mitigation first. But don't ignore the patch, mitigation is always imperfect.
Learn More
A critical security vulnerability flaw has been reported in Apache Pinot, a real-time distributed OLAP datastore.
The flaw is tracked as CVE-2024-56325 (CVSS score 9.8) and allows unauthenticated attackers to completely bypass authentication controls and gain unauthorized access to sensitive systems. The Zero Day Initiative (ZDI) has tracked this issue as ZDI-CAN-24001 and confirmed the active exploitation risks associated with this vulnerability.
The vulnerability stems from improper neutralization of special elements in the AuthenticationFilter class, which fails to adequately validate URI components . UThis flaw requires no passwords, tokens, or session hijacking—attackers simply manipulate HTTP request paths by crafting malicious requests containing specially encoded characters to bypass authentication checks entirely.
Apache Pinot versions before 1.3.0 are affected. Successful exploitation grants attackers the same privileges as authenticated users, enabling access to internal APIs, configuration files and script execution interfaces to run malicious code.
Apache has resolved the flaw in Pinot 1.3.0, released on March 3, 2025. Administrators must are advised to immediately upgrade all Pinot controllers, brokers, and servers to the patched version, restrict access to /appConfigs and other administrative endpoints using Pinot's updated role-based controls, remove unnecessary functions via pinot.server.instance.enable.groovy=false in configuration files to mitigate RCE risks and isolate Pinot clusters from public networks.
