A flaw was found in Apache HBase that affects the optional "Thrift 1" API server when running over HTTP. There is a race-condition which could lead to authenticated sessions being incorrectly applied to users. References: https://issues.apache.org/jira/browse/HBASE-20664