Port reference
Port 8086 (TCP) – InfluxDB HTTP API
Default port for the InfluxDB HTTP API used to write and query time-series data.
Default state
InfluxDB can run on 0.0.0.0:8086 with authentication disabled by default in older versions. Exposed instances leak metrics and, on vulnerable builds, allow an authentication bypass.
Common attacks
- Authentication bypass via CVE-2019-20933 (empty JWT shared secret)
- Unauthenticated reads to query and dump time-series databases
- Information disclosure of metrics, hostnames, and infrastructure detail
- Data deletion or tampering of measurements
Hardening
- Enable authentication and create least-privilege users; set a strong JWT shared secret
- Bind to localhost or a private interface; never expose 8086 to the internet
- Require TLS for the HTTP API
- Firewall 8086 to trusted collectors and dashboards
- Keep InfluxDB patched (fixes CVE-2019-20933) and audit access
nmap snippet
nmap -p8086 --script http-title <target>Replace <target> with the host or range you're authorized to scan.
What runs on port 8086?
Port 8086 is the default for the InfluxDB HTTP API, used by clients and agents to write and query time-series data such as metrics, sensor readings, and monitoring data. Dashboards like Grafana and collectors like Telegraf send HTTP requests to 8086 to store and retrieve measurements.
Why it matters for security
InfluxDB often holds operational and infrastructure metrics that reveal hostnames, topology, and usage patterns. Older versions disabled authentication by default, and CVE-2019-20933 allows an authentication bypass when JWT auth uses an empty shared secret. An exposed 8086 therefore risks both data disclosure and unauthorized writes.
How it's attacked
Attackers scan for open 8086 and either query the API without authentication or exploit CVE-2019-20933 to forge JWT tokens and bypass auth. They then dump time-series databases, harvest infrastructure detail, and may delete or tamper with measurements to disrupt monitoring.
Hardening checklist
Enable authentication with least-privilege users and set a strong JWT shared secret. Bind InfluxDB to localhost or a private interface, require TLS for the HTTP API, and firewall 8086 to trusted collectors and dashboards. Patch to a version that fixes CVE-2019-20933 and audit access. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.
Related ports
Frequently asked questions
- What is CVE-2019-20933 in InfluxDB?
- CVE-2019-20933 is an authentication bypass affecting InfluxDB before 1.7.6. When JWT auth is enabled with an empty shared secret, an attacker can forge tokens and run queries without valid credentials. Patch and set a strong shared secret.
- Is it safe to expose InfluxDB on port 8086?
- No. Exposed InfluxDB leaks metrics and infrastructure detail and may be vulnerable to authentication bypass. Enable auth, require TLS, bind to a private interface, and firewall the port to trusted collectors.