Skip to main content

Apache Kvrocks CVE-2026-45188

| EUVDEUVD-2026-39334 LOW
Relative Path Traversal (CWE-23)
2.4
CVSS 4.0 · Vendor

Severity by source

Vendor (CNA) PRIMARY
2.4 LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Clear
vuln.today AI
8.4 HIGH

Replication is network-based (AV:N) but requires controlling a trusted master node (AC:H, PR:L); successful traversal writes outside the app boundary (S:C), impacting host confidentiality and integrity.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:Clear
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
P
Scope
N

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 09:23 NVD
2.4 (LOW)
Analysis Generated
Jun 25, 2026 - 04:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Replication Fullsync in Apache Kvrocks fails to validate filenames transmitted from a master node to a replica during full synchronization, enabling path traversal to arbitrary filesystem locations. Deployments using Kvrocks master-replica replication are affected; standalone instances with no replication configured are not exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of or impersonate a Kvrocks master node
Delivery
Establish replication connection to target replica
Exploit
Trigger Fullsync operation
Execution
Transmit crafted filename with path traversal sequences
Persist
Replica writes attacker-controlled content to arbitrary filesystem path
Impact
Read or overwrite sensitive OS or application files

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted Kvrocks instance is configured as a replica and is in the process of performing a Fullsync with a master node. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score has been published for CVE-2026-45188 as of the pre-NVD oss-security disclosure on 2026-06-25, preventing numeric risk quantification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or controls a Kvrocks master node triggers a Fullsync with a target replica, sending a crafted SST filename containing path traversal sequences such as '../../etc/cron.d/backdoor' as part of the file list. The replica, lacking filename validation, writes attacker-controlled content to the traversed path on its filesystem. …
Remediation Upgrade Apache Kvrocks to the patched version once released by the Apache Security Team - no confirmed fix version number is available in the current pre-NVD disclosure; monitor https://www.openwall.com/lists/oss-security/2026/06/25 and the Apache Kvrocks security page for the exact patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy