Apache Kvrocks security advisories

Security information for Apache Kvrocks

Reporting

Do you want disclose a potential security issue for Apache Kvrocks? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

RESTORE IntSet Integer Overflow Leads to Remote DoS

CVE-2026-54226 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T07:59:22.966Z

Affected

  • Apache Kvrocks from 2.6.0 through 2.15.0

Description

A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

References

Credits

  • 朱少扬 (reporter)

Stack buffer overflow in Lua bit.tohex()

CVE-2026-46752 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:00:16.837Z

Affected

  • Apache Kvrocks from 2.0.4 through 2.15.0

Description

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

References

Credits

  • Jincheng Yang (reporter)

Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.

CVE-2026-46751 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:00:59.029Z

Affected

  • Apache Kvrocks from 2.2.0 through 2.15.0

Description

A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

References

Credits

  • 4ra2n (A code security AI agent) (finder)

Replication Fullsync Path Traversal via Unvalidated Filename Handling

CVE-2026-45188 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:01:48.602Z

Affected

  • Apache Kvrocks from 1.0.0 through 2.15.0

Description

Relative Path Traversal vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

References

Credits

  • @Brubbish of VARAS@IIE (reporter)

Improper permission for the APPLYBATCH command

CVE-2026-41566 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-25T08:04:24.570Z

Affected

  • Apache Kvrocks from 2.8.0 through 2.15.0

Description

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: 2.8.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.

References

Credits

  • Qing Xu (reporter)

MONITOR command reveals plaintext credentials to non-admins

CVE-2025-59792 [CVE] [CVE json] [OSV json]

Last updated: 2025-11-28T14:21:21.082Z

Affected

  • Apache Kvrocks from 1.0.0 through 2.13.0

Description

Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.

Users are recommended to upgrade to version 2.14.0, which fixes the issue.

References

Credits

  • Mapta / BugBunny_ai (reporter)

RESET command grants admin privileges

CVE-2025-59790 [CVE] [CVE json] [OSV json]

Last updated: 2025-11-28T14:20:28.481Z

Affected

  • Apache Kvrocks from 2.9.0 through 2.13.0

Description

Improper Privilege Management vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0.

Users are recommended to upgrade to version 2.14.0, which fixes the issue.

References

Credits

  • Mapta / BugBunny_ai (reporter)

The server was crashed by the negative offset

CVE-2025-26413 [CVE] [CVE json] [OSV json]

Last updated: 2025-04-22T10:35:30.358Z

Affected

  • Apache Kvrocks through 2.11.1

Description

Improper Input Validation vulnerability in Apache Kvrocks.

The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index
of a string. So it will cause the server to crash due to its index is  out of range.

This issue affects Apache Kvrocks: through 2.11.1.

Users are recommended to upgrade to version 2.12.0, which fixes the issue.

References

Credits

  • ankki-zsyang, Shenzhen Ankki Technologies Co., Ltd. (reporter)

Cross-Protocol Scripting Vulnerability

CVE-2025-25069 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-07T12:46:01.975Z

Affected

  • Apache Kvrocks through 2.11.0

Description

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,
a valid HTTP request can also be sent to Kvrocks as a valid RESP request
and trigger some database operations, which can be dangerous when
it is chained with SSRF.

It is similiar to CVE-2016-10517 in Redis.

This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.

Users are recommended to upgrade to version 2.11.1, which fixes the issue.

References

Credits

  • Sergey Volosatov (reporter)