CVE-2026-27623

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27623
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*
History

25 Feb 2026, 17:58

Type Values Removed Values Added
CPE cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*
First Time Lfprojects valkey
Lfprojects
References () https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr - () https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr - Vendor Advisory
Summary
  • (es) Valkey es una base de datos distribuida de clave-valor. A partir de la versión 9.0.0 y antes de la versión 9.0.3, un actor malintencionado con acceso de red a Valkey puede provocar que el sistema aborte al activar una aserción. Al procesar las solicitudes entrantes, el sistema Valkey no restablece correctamente el estado de la red después de procesar una solicitud vacía. Un actor malintencionado puede entonces enviar una solicitud que el servidor identifica incorrectamente como una ruptura de las invariantes del lado del servidor, lo que resulta en el apagado del servidor. La versión 9.0.3 corrige el problema. Como una mitigación adicional, aísle adecuadamente las implementaciones de Valkey para que solo los usuarios de confianza tengan acceso.

23 Feb 2026, 20:28

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-23 20:28

Updated : 2026-02-25 17:58

NVD link : CVE-2026-27623

Mitre link : CVE-2026-27623

CVE.ORG link : CVE-2026-27623

JSON object : View

Products Affected

lfprojects

  • valkey
CWE
CWE-20

Improper Input Validation