Description
Relative Path Traversal vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Published: 2026-06-25
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A relative path traversal flaw in the replication fullsync command of Apache Kvrocks allows an attacker to specify an unvalidated filename and thus read or write arbitrary files on the host. The weakness, identified as CWE‑23, can lead to disclosure of sensitive data or modification of critical configuration files, compromising confidentiality and possibly integrity of the system.

Affected Systems

The issue affects Apache Software Foundation: Apache Kvrocks versions 1.0.0 through 2.15.0. Users running any of these releases are vulnerable, while later releases are not impacted.

Risk and Exploitability

The CVSS score for this vulnerability is 2.4, indicating a low overall severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation would require an attacker to send a replication command over the network, meaning the attack vector is remote, but only from an entity that can communicate with the replication endpoint. Without such access, the risk is limited.

Generated by OpenCVE AI on June 25, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kvrocks to version 2.16.0 or later.
  • If an upgrade cannot be performed immediately, configure firewall or network controls to restrict access to the replication port so only trusted hosts can connect.
  • Ensure that any remaining replication clients validate filenames before use to prevent unintended file access.

Generated by OpenCVE AI on June 25, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kvrocks
Vendors & Products Apache
Apache kvrocks

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Title Apache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename Handling
Weaknesses CWE-23
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/S:N/AU:N/R:U/RE:L/U:Clear'}

Subscriptions

Apache Kvrocks
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T12:16:45.965Z

Reserved: 2026-05-10T12:35:41.766Z

Link: CVE-2026-45188

cve-icon Vulnrichment

Updated: 2026-06-25T09:09:36.379Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:30:15Z

Weaknesses
  • CWE-23

    Relative Path Traversal