Skip to main content

Apache Kvrocks CVE-2026-46751

| EUVDEUVD-2026-39333 MEDIUM
5.5
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
vuln.today AI
9.9 CRITICAL

Network-accessible service, low complexity once authenticated; PR:L because EVAL requires a valid user account; S:C because sandbox escape grants host-level impact beyond the database process.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 09:23 NVD
5.5 (MEDIUM)
Analysis Generated
Jun 25, 2026 - 04:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the loadstring function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Kvrocks service
Delivery
Issue EVAL with loadstring payload
Exploit
Lua runtime compiles arbitrary code chunk
Execution
Sandbox boundary bypassed
Impact
Execute OS commands or access host filesystem as server process user

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) network connectivity to the Kvrocks service port; (2) a valid user account with permission to execute the EVAL command - this is an authenticated, low-privilege condition, not unauthenticated; (3) no special non-default configuration is required beyond having EVAL access, which is typically granted by default to authenticated users in Redis-compatible systems. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS vector has been published; the following risk picture is inferred from the vulnerability class and description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kvrocks user with EVAL command access sends a crafted Lua script containing a `loadstring`-based payload - for example, `EVAL "return loadstring('os = require(\'os\'); return os.execute(\'id\')')()" 0` - to the server. Because `loadstring` is not removed from the sandbox, the script compiles and executes the inner chunk within the server process, bypassing the scripting restrictions and potentially running OS-level commands or accessing arbitrary data. …
Remediation The primary remediation is to upgrade to the patched version of Apache Kvrocks once it is released by the Apache Software Foundation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Apache Kvrocks deployments to identify instances with EVAL command enabled and document which user accounts hold EVAL privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy