Redis
Monthly
Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.
Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.
Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.
Server-side request forgery in the @better-auth/sso plugin (versions >= 0.1.0 through < 1.6.11, and 1.7.0-beta.x) lets any authenticated Better Auth session register an OIDC provider with attacker-controlled endpoint URLs, which the auth server then fetches during callback and reflects into the user profile - a non-blind SSRF exposing cloud metadata (IMDS 169.254.169.254), internal APIs, and localhost-bound services like Redis. When trustEmailVerified is enabled it escalates to full account takeover via forged emailVerified claims. Carrying a CVSS 9.6 (scope-changed) rating with no public exploit identified at time of analysis, the flaw was reported by Vaadata and fixed in 1.6.11.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.
Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.
Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated attackers to drain the JVM-wide direct-memory pool by repeatedly opening and closing Redis pipeline connections before RESP array aggregates complete. Affects netty-codec-redis 4.1.x through 4.1.134.Final and 4.2.0.Final through 4.2.14.Final; vendor patches are available in 4.1.135.Final and 4.2.15.Final. No public exploit identified at time of analysis, EPSS is low (0.04%), and the issue is not in CISA KEV.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows unauthenticated attackers to exhaust direct memory by sending crafted RESP protocol payloads lacking the required \r\n terminator across multiple concurrent connections. The RedisDecoder buffers digit streams indefinitely while awaiting a line terminator, eventually triggering OutOfDirectMemoryError and preventing legitimate connections from being processed. No public exploit identified at time of analysis, but the vendor advisory GHSA-6ghj-frrj-jjj3 confirms the issue and patched releases are available.
Denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to exhaust JVM heap memory by sending Redis payloads with unbounded nested array headers. The RedisArrayAggregator allocates a new AggregateState and ArrayList for every nested array header without enforcing a depth limit, so a continuous stream of `*1\r\n` headers triggers an OutOfMemoryError. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. No public exploit has been identified at time of analysis; a vendor-released patch exists in version 2026.05.1.
Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Redis service to obtain full root access across every server in the CVX cluster. The flaw stems from CVX's reliance on Redis for inter-node coordination combined with the fact that Redis traffic - including authentication - is transmitted in plaintext, meaning anyone who can sniff a single session can replay credentials to compromise the entire cluster. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.
Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.
Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).
{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.
Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).
Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.
OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.
Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.
Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.
Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.
{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.
Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.
Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).
Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.
CRLF injection in Netty's RedisEncoder allows remote command injection and response poisoning by injecting carriage return and line feed characters into InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage objects. Attackers can inject arbitrary Redis commands (such as CONFIG SET, FLUSHALL, or authentication bypass) or forge fake responses when user-controlled input is placed into these message types without sanitization. The vulnerability affects Netty 4.2.12.Final and all prior versions with the codec-redis module; no active exploitation has been reported in CISA KEV, but publicly available proof-of-concept code demonstrates the vulnerability.
Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.
Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.
Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.
Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.
Redis-server with Lua scripting allows authenticated attackers to trigger a use-after-free vulnerability on replicas where replica-read-only is disabled, potentially leading to remote code execution. The vulnerability exploits the master-replica synchronization mechanism and is present in all versions prior to 8.6.3. Patch vendor-released patch: 8.6.3.
Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.
Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.
Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.
{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows
Distribution container registry versions ≤3.0.x and ≤2.8.x restore read access to explicitly deleted blobs when Redis blob descriptor caching and storage deletion are both enabled. After an administrator deletes a blob from repository A, the deletion briefly succeeds, but when repository B later accesses the same digest, it repopulates the shared Redis descriptor cache. Repository A then regains unauthorized read access to the deleted blob because stale repository-scoped membership metadata was never invalidated from Redis. This authorization bypass defeats repository-local content revocation with concrete confidentiality impact. CVSS 7.5 (HIGH) with network attack vector, low complexity, and no authentication required. EPSS exploitation probability is very low (0.03%, 9th percentile), suggesting limited real-world targeting despite public POC availability. Vendor-released patch confirms the issue and provides a fix in version 3.1.0.
Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.
Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.
Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.
Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the
Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credent
Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. The vulnerability has CVSS 7.7 (High) with scope change indicating potential lateral movement to other system components. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Public exploit code exists via GitHub security advisory GHSA-x9vj-5m4j-9mfv with technical details and proof-of-concept guidance.
Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).
A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.
AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.
CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.
Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.
Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.
Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An open database issue exists in the affected product and version. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.
Session revocation bypass in Open WebUI 0.9.0 through 0.9.x (deployments configured with Redis) lets a holder of a revoked JWT keep authenticating realtime Socket.IO connections. The flaw stems from first-message authentication for Socket.IO connect, user-join, join-channels, join-note, and the terminal websocket calling decode_token without the Redis-backed is_valid_token revocation check, so logout, forced-logout, or token invalidation does not sever active realtime access. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the fix is version 0.10.0.
Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.
Single-use authorization-code enforcement can be bypassed under concurrency in the better-auth OAuth provider (@better-auth/oauth-provider 1.6.0 through 1.6.10, the embedded plugin in better-auth 1.4.8-beta.7 through 1.6.10, and the legacy oidc-provider and mcp plugins). Because the POST /oauth2/token authorization_code grant redeems the code via a non-atomic find-then-delete, two concurrent requests carrying the same code both pass the read step and each mint a fresh access, refresh, and id token for the original user's scope. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it CVSS 4.0 7.6 (High) with high confidentiality and integrity impact.
Server-side request forgery in the @better-auth/sso plugin (versions >= 0.1.0 through < 1.6.11, and 1.7.0-beta.x) lets any authenticated Better Auth session register an OIDC provider with attacker-controlled endpoint URLs, which the auth server then fetches during callback and reflects into the user profile - a non-blind SSRF exposing cloud metadata (IMDS 169.254.169.254), internal APIs, and localhost-bound services like Redis. When trustEmailVerified is enabled it escalates to full account takeover via forged emailVerified claims. Carrying a CVSS 9.6 (scope-changed) rating with no public exploit identified at time of analysis, the flaw was reported by Vaadata and fixed in 1.6.11.
Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the backing Redis store inject a malicious serialized object that Langflow deserializes, yielding arbitrary code execution with full application privileges. Successful exploitation exposes all stored secrets, flow data, and the underlying host, effectively a complete compromise of the Langflow instance. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available per IBM advisory node 7278443.
Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.
Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated attackers to drain the JVM-wide direct-memory pool by repeatedly opening and closing Redis pipeline connections before RESP array aggregates complete. Affects netty-codec-redis 4.1.x through 4.1.134.Final and 4.2.0.Final through 4.2.14.Final; vendor patches are available in 4.1.135.Final and 4.2.15.Final. No public exploit identified at time of analysis, EPSS is low (0.04%), and the issue is not in CISA KEV.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows unauthenticated attackers to exhaust direct memory by sending crafted RESP protocol payloads lacking the required \r\n terminator across multiple concurrent connections. The RedisDecoder buffers digit streams indefinitely while awaiting a line terminator, eventually triggering OutOfDirectMemoryError and preventing legitimate connections from being processed. No public exploit identified at time of analysis, but the vendor advisory GHSA-6ghj-frrj-jjj3 confirms the issue and patched releases are available.
Denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to exhaust JVM heap memory by sending Redis payloads with unbounded nested array headers. The RedisArrayAggregator allocates a new AggregateState and ArrayList for every nested array header without enforcing a depth limit, so a continuous stream of `*1\r\n` headers triggers an OutOfMemoryError. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. No public exploit has been identified at time of analysis; a vendor-released patch exists in version 2026.05.1.
Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Redis service to obtain full root access across every server in the CVX cluster. The flaw stems from CVX's reliance on Redis for inter-node coordination combined with the fact that Redis traffic - including authentication - is transmitted in plaintext, meaning anyone who can sniff a single session can replay credentials to compromise the entire cluster. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.
Pre-authentication arbitrary file deletion in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) is achievable by unauthenticated network attackers via session poisoning of Redis or Memcache storage backends. The root cause (CWE-669: Incorrect Resource Transfer Between Spheres) lies in the application improperly trusting session data read from an external cache tier, allowing crafted entries to bypass pre-authentication controls and trigger file deletion operations. No public exploit has been identified at time of analysis, and EPSS stands at 0.06%, though Roundcube installations are historically targeted by espionage-motivated threat actors and patching is strongly recommended.
Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features.
Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.
Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).
{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.
Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).
Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.
OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.
Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.
Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.
Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.
{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.
Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.
Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).
Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.
CRLF injection in Netty's RedisEncoder allows remote command injection and response poisoning by injecting carriage return and line feed characters into InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage objects. Attackers can inject arbitrary Redis commands (such as CONFIG SET, FLUSHALL, or authentication bypass) or forge fake responses when user-controlled input is placed into these message types without sanitization. The vulnerability affects Netty 4.2.12.Final and all prior versions with the codec-redis module; no active exploitation has been reported in CISA KEV, but publicly available proof-of-concept code demonstrates the vulnerability.
Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.
Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.
Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.
Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.
Redis-server with Lua scripting allows authenticated attackers to trigger a use-after-free vulnerability on replicas where replica-read-only is disabled, potentially leading to remote code execution. The vulnerability exploits the master-replica synchronization mechanism and is present in all versions prior to 8.6.3. Patch vendor-released patch: 8.6.3.
Use-after-free in Redis 7.2.0 through 8.6.2 allows authenticated attackers to achieve remote code execution by exploiting error handling in the unblock client flow. When a blocked client is evicted during command re-execution, the server fails to handle the error return from processCommandAndResetClient, triggering memory corruption. Redis has released version 8.6.3 with a security fix. No public exploit code or CISA KEV listing identified at time of analysis, suggesting limited observed exploitation despite the critical RCE impact.
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
All four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1. **Authorization bypass on all four endpoints** (03_readonly_user_bypass.py) - PUT, GET list, GET arns, DELETE all return 200 for readonly-user - Control routes (list-users, kms/status) correctly return 403 - Unauthenticated requests correctly rejected (403 Signature required) 2. **SSRF via health probe** (04_ssrf_listener_landing.py) - HEAD request from rustfs container to attacker-controlled listener - No host validation: only scheme check (http/https) 3. **Target hijacking and event exfiltration** (05_target_hijacking.py, 06_full_event_exfil.py) - Readonly-user overwrites admin-configured target URL by name - Subsequent S3 events delivered to attacker-controlled endpoint - Captured event body includes object keys, bucket names, user identities, and request metadata 4. **Audit evasion** (05_target_hijacking.py) - Readonly-user can delete unbound targets - Readonly-user can overwrite bound targets (silently redirecting events) 1. **Self-referencing webhook to admin API** (13_self_referencing_test.py) - Webhook sends unsigned POST with event JSON body - Admin endpoints require SigV4 auth -- unsigned request rejected - "Confused deputy" via self-referencing does NOT work 2. **Protocol smuggling via non-HTTP targets** - Only 2 target types implemented: webhook and MQTT (`event.rs:613` enforces this) - No Redis, Kafka, AMQP, or other protocol targets exist - CRLF injection in webhook config fields sanitized by reqwest - MQTT uses rumqttc (pure Rust binary protocol client), no raw TCP injection 3. **MQTT target for RCE** - No unsafe code in MQTT handler - rumqttc 0.29.0 has no known public CVEs - No Command::new, template engines, or deserialization of broker responses 4. **Unauth access** - Endpoints correctly reject unauthenticated requests (403) - Endpoints correctly reject invalid credentials (403) No existing advisory covers notification target endpoints. 11 published GHSAs on rustfs/rustfs cover different handlers. Closest: - CVE-2026-22042 (ImportIam wrong action constant) -- same bug class, different file - CVE-2026-22043 (deny_only short-circuit) -- different bug class Submit via GitHub PVR. The finding is well-supported with live PoC, code references, and clear root cause. The fix is straightforward (add `validate_admin_request` calls to event.rs handlers). Core submission should reference 2-3 focused PoC scripts (readonly bypass, target hijack, event exfil), not the full set of 13 exploratory scripts. Koda Reef This issue has been patched in version https://github.com/rustfs/rustfs/releases/tag/1.0.0-alpha.94.
Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.
Server-Side Request Forgery in Vexa meeting bot allows unauthenticated remote attackers to forge HTTP POST requests to arbitrary internal URLs (Redis, databases, cloud metadata endpoints) via unvalidated webhook configuration, enabling credential theft and lateral movement. CVSS 5.8 with network attack vector and no user interaction required. Fixed in version 0.10.0-260419-1910.
{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows
Distribution container registry versions ≤3.0.x and ≤2.8.x restore read access to explicitly deleted blobs when Redis blob descriptor caching and storage deletion are both enabled. After an administrator deletes a blob from repository A, the deletion briefly succeeds, but when repository B later accesses the same digest, it repopulates the shared Redis descriptor cache. Repository A then regains unauthorized read access to the deleted blob because stale repository-scoped membership metadata was never invalidated from Redis. This authorization bypass defeats repository-local content revocation with concrete confidentiality impact. CVSS 7.5 (HIGH) with network attack vector, low complexity, and no authentication required. EPSS exploitation probability is very low (0.03%, 9th percentile), suggesting limited real-world targeting despite public POC availability. Vendor-released patch confirms the issue and provides a fix in version 3.1.0.
Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.
Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.
Remote code execution in D-Tale allows unauthenticated attackers to execute arbitrary code on servers hosting D-Tale publicly when using Redis or Shelf storage backends. The vulnerability stems from improper input validation in the storage layer, affecting D-Tale versions prior to 3.22.0. Vendor-released patch version 3.22.0 is available.
Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the
Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credent
Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. The vulnerability has CVSS 7.7 (High) with scope change indicating potential lateral movement to other system components. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Public exploit code exists via GitHub security advisory GHSA-x9vj-5m4j-9mfv with technical details and proof-of-concept guidance.
Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).
A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.
AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.
CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Unsafe deserialization in the RedisCache component of datapizza-ai 0.0.2 allows authenticated local network attackers to achieve limited information disclosure and integrity compromise through manipulation of cache operations. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires local network access and elevated privileges, making practical attacks difficult but feasible in trusted environments.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.
Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.
Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.
Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An open database issue exists in the affected product and version. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19.
Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands.