Critical privilege escalation flaw in Apache StreamPipes allows admin takeover
Take action: If you are using Apache StreamPipes, this is important. First, make sure it's isolated from the internet and accessible from trusted networks and users only. Then plan a very quick update, because the exploit is just changing a value in the JWT token.
Learn More
The Apache Software Foundation released a security update to fix a critical flaw in StreamPipes, an open-source data streaming platform. The vulnerability allows any user with a standard account to get full administrative control of the system.
The vulnerability is tracked as CVE-2025-47411 (CVSS score 9.8) and resides in the user ID creation mechanism. Attackers manipulate JSON Web Tokens (JWT) to swap their own username with that of an existing administrator. Because the system fails to validate these identity changes properly, the attacker gains elevated permissions instantly.
Example
Original JWT (decoded)
{
"username": "alice",
"user_id": "user_123",
"role": "user"
}Tampered JWT (decoded)
{
"username": "admin", ← CHANGED FROM "alice"
"user_id": "user_123",
"role": "user"
}Once an attacker gains administrative access, they can view, change, or delete sensitive information flowing through the platform.
Affected Versions are Apache StreamPipes 0.69.0 through 0.97.0
Apache recommends that all administrators upgrade to version 0.98.0 immediately. If an upgrade is not possible, teams should restrict access to the StreamPipes interface to trusted internal networks and users and monitor access logs for unusual username changes or privilege shifts.
