Skip to main content
Security News Jun 25, 2026 by vuln.today Threat Intelligence

Critical Lua Sandbox Escape in Apache Kvrocks - CVE-2026-46751

Related CVEs

Other CVEs in Same Group

CVE-2026-46752 CRITICAL 10.0

Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

CVE-2026-41566 CRITICAL 9.4

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

CVE-2026-54226 MEDIUM 6.4

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

CVE-2026-45188 LOW 2.4

Replication Fullsync in Apache Kvrocks fails to validate filenames transmitted from a master node to a replica during full synchronization, enabling path traversal to arbitrary filesystem locations. Deployments using Kvrocks master-replica replication are affected; standalone instances with no replication configured are not exposed. An attacker who controls or can impersonate a master node can cause a replica to read or write files outside its intended data directory - no public exploit has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy