CVE-2026-27623

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-23 20:28

Updated : 2026-02-25 17:58

NVD link : CVE-2026-27623

Mitre link : CVE-2026-27623

CVE.ORG link : CVE-2026-27623

JSON object : View

Products Affected

lfprojects

valkey

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-27623", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-23T20:28:55.217", "references": [{"url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access."}, {"lang": "es", "value": "Valkey es una base de datos distribuida de clave-valor. A partir de la versi\u00f3n 9.0.0 y antes de la versi\u00f3n 9.0.3, un actor malintencionado con acceso de red a Valkey puede provocar que el sistema aborte al activar una aserci\u00f3n. Al procesar las solicitudes entrantes, el sistema Valkey no restablece correctamente el estado de la red despu\u00e9s de procesar una solicitud vac\u00eda. Un actor malintencionado puede entonces enviar una solicitud que el servidor identifica incorrectamente como una ruptura de las invariantes del lado del servidor, lo que resulta en el apagado del servidor. La versi\u00f3n 9.0.3 corrige el problema. Como una mitigaci\u00f3n adicional, a\u00edsle adecuadamente las implementaciones de Valkey para que solo los usuarios de confianza tengan acceso."}], "lastModified": "2026-02-25T17:58:27.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CAEFEBA-E7CB-4EB1-B1FB-F8FDC550DE1B", "versionEndExcluding": "9.0.3", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}