Apache Kvrocks security advisories
Security information for Apache Kvrocks
Reporting
Do you want disclose a potential security issue for Apache Kvrocks? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
RESTORE IntSet Integer Overflow Leads to Remote DoS
CVE-2026-54226 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T07:59:22.966Z
Affected
- Apache Kvrocks from 2.6.0 through 2.15.0
Description
A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
References
Credits
- 朱少扬 (reporter)
Stack buffer overflow in Lua bit.tohex()
CVE-2026-46752 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:00:16.837Z
Affected
- Apache Kvrocks from 2.0.4 through 2.15.0
Description
Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
References
Credits
- Jincheng Yang (reporter)
Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.
CVE-2026-46751 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:00:59.029Z
Affected
- Apache Kvrocks from 2.2.0 through 2.15.0
Description
A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
References
Credits
- 4ra2n (A code security AI agent) (finder)
Replication Fullsync Path Traversal via Unvalidated Filename Handling
CVE-2026-45188 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:01:48.602Z
Affected
- Apache Kvrocks from 1.0.0 through 2.15.0
Description
Relative Path Traversal vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
References
Credits
- @Brubbish of VARAS@IIE (reporter)
Improper permission for the APPLYBATCH command
CVE-2026-41566 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-25T08:04:24.570Z
Affected
- Apache Kvrocks from 2.8.0 through 2.15.0
Description
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: 2.8.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
References
Credits
- Qing Xu (reporter)
MONITOR command reveals plaintext credentials to non-admins
CVE-2025-59792 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-28T14:21:21.082Z
Affected
- Apache Kvrocks from 1.0.0 through 2.13.0
Description
Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.
Users are recommended to upgrade to version 2.14.0, which fixes the issue.
References
Credits
- Mapta / BugBunny_ai (reporter)
RESET command grants admin privileges
CVE-2025-59790 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-28T14:20:28.481Z
Affected
- Apache Kvrocks from 2.9.0 through 2.13.0
Description
Improper Privilege Management vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.
Users are recommended to upgrade to version 2.14.0, which fixes the issue.
References
Credits
- Mapta / BugBunny_ai (reporter)
The server was crashed by the negative offset
CVE-2025-26413 [CVE] [CVE json] [OSV json]
Last updated: 2025-04-22T10:35:30.358Z
Affected
- Apache Kvrocks through 2.11.1
Description
Improper Input Validation vulnerability in Apache Kvrocks.
The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an indexof a string. So it will cause the server to crash due to its index is out of range.
This issue affects Apache Kvrocks: through 2.11.1.
Users are recommended to upgrade to version 2.12.0, which fixes the issue.
References
Credits
- ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd. (reporter)
Cross-Protocol Scripting Vulnerability
CVE-2025-25069 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-07T12:46:01.975Z
Affected
- Apache Kvrocks through 2.11.0
Description
A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.
Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,a valid HTTP request can also be sent to Kvrocks as a valid RESP request
and trigger some database operations, which can be dangerous when
it is chained with SSRF.
It is similiar to CVE-2016-10517 in Redis.
This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.
Users are recommended to upgrade to version 2.11.1, which fixes the issue.
References
- https://www.cve.org/CVERecord?id=CVE-2016-10517
- https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t
Credits
- Sergey Volosatov (reporter)