Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Apache IoTDB versions 1.0.0 through 2.0.9 contain a critical unsafe reflection vulnerability in the pipe processor that allows unauthenticated remote code execution. The vulnerability stems from direct instantiation of user-supplied Java class names via Class.forName().newInstance() without validation or allowlisting. An attacker can specify any fully qualified class name accessible on the classpath, enabling arbitrary code execution with the privileges of the IoTDB process. This affects organizations deploying IoTDB for time-series data collection in industrial IoT, smart cities, and monitoring environments where the pipe processor feature is enabled.
While this CVE maps to CWE-470 (Unsafe Reflection) rather than specific MITRE ATT&CK techniques, Casky's security skills would detect the attack patterns through behavioral analysis of process execution, class loading anomalies, and network communication following suspicious reflection calls. Practitioners using Casky would observe findings related to unexpected process spawning, unusual JVM class instantiation patterns, and potential lateral movement indicators that follow successful exploitation. The lack of mapped ATT&CK techniques highlights a detection gap—this vulnerability primarily manifests as Execution (T1059 - Command and Scripting Interpreter) once weaponized. Organizations should immediately upgrade to version 2.0.10, restrict network access to IoTDB instances, and monitor for suspicious class instantiation attempts in their JVM logs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-40008. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation