Description
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: 2.8.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Published: 2026-06-25
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Kvrocks has a flaw where the APPLYBATCH command can be used even by users lacking sufficient permissions. This allows the attacker to insert, modify, or delete multiple key‑value pairs without authorization, potentially compromising data confidentiality and integrity. The weakness is a permission‑handling issue under CWE‑280.

Affected Systems

Apache Kvrocks version 2.8.0 is affected. The vendor recommends upgrading to version 2.16.0 to resolve the issue.

Risk and Exploitability

The CVSS score of 9.4 indicates a severe vulnerability. Although EPSS data is not available and the flaw is not listed in CISA’s KEV catalog, the risk remains high. The likely attack vector is a remote attacker who can authenticate to the Kvrocks instance or exploit the command via the network. If the attacker gains any access, this flaw can be used to elevate privileges and corrupt data.

Generated by OpenCVE AI on June 25, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading Apache Kvrocks to version 2.16.0 or later.
  • If an immediate upgrade is not possible, limit access to the Kvrocks service by configuring firewall rules or network segmentation to allow only trusted hosts.
  • Disable the APPLYBATCH command or enforce strict ACLs to ensure that only authorized users can execute batch operations.

Generated by OpenCVE AI on June 25, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Title Apache Kvrocks: Improper permission for the APPLYBATCH command
Weaknesses CWE-280
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/R:I/RE:M/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T09:09:32.299Z

Reserved: 2026-04-21T13:34:48.585Z

Link: CVE-2026-41566

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses
  • CWE-280

    Improper Handling of Insufficient Permissions or Privileges