Description
A vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Kvrocks allows a user who can run EVAL scripts to load unvalidated Lua bytecode via the unsafe loadstring function in its sandbox. This can crash the server process, causing a denial of service. The vulnerability exists because the sandbox does not properly restrict code execution, and it is exploitable by sending crafted bytecode to the EVAL command. The attack vector is inferred from the description, which states a user with EVAL privileges can inject bytecode. No additional information on the specific prerequisites or required permissions is provided.

Affected Systems

Apache Software Foundation’s Apache Kvrocks versions 2.2.0 through 2.15.0 are affected. Users should upgrade to version 2.16.0, which resolves this issue.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate risk, but the potential to bring the service down makes the impact significant for availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires an authenticated or otherwise privileged ability to run EVAL statements, which is not trivial. Nonetheless, once the vulnerability is triggered, the service will denial of service until restarted.

Generated by OpenCVE AI on June 25, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Kvrocks to version 2.16.0 or later, which removes the unsafe loadstring function.
  • Restrict the use of the EVAL command in the Kvrocks reducing the attack surface.
  • Monitor Kvrocks logs for abnormal crashes or execution of unvalidated Lua bytecode and verify that the system is back online after a restart.

Generated by OpenCVE AI on June 25, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache kvrocks
Vendors & Products Apache
Apache kvrocks

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Title Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:L/U:Green'}

Subscriptions

Apache Kvrocks
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T12:20:03.821Z

Reserved: 2026-05-18T11:48:58.677Z

Link: CVE-2026-46751

cve-icon Vulnrichment

Updated: 2026-06-25T09:09:44.557Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:30:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')