Primary

Context

Dremio Improper Authorization Vulnerability Allows Arbitrary File Deletion

Vulnerability

Patched

A vulnerability allowing authenticated users to delete arbitrary files accessible to the system has been identified in Dremio. This issue arises from inadequate access controls on an API endpoint, enabling users to delete files beyond their authorized scope. The vulnerability affects system files as well as files stored in remote locations like S3 and Azure Blob Storage, and on local filesystems. Exploitation of this vulnerability could result in data loss, denial of service, and potentially escalate impacts depending on the files deleted.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files, causing data loss and disruption of services. Additionally, depending on the nature of the deleted files, there could be further escalation of impact.

Remediation

Users are advised to upgrade to Dremio versions 24.3.17 and above, 25.0.15 and above, 25.1.8 and above, 25.2.5 and above, or 26.0.0 and above.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dremio Improper Authorization Vulnerability Allows Arbitrary File Deletion

Vulnerability

Impact

Remediation

Affected Products

Dremio

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating