How serious is CVE-2026-27623?

This vulnerability has a CVSS score of 7.5 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-27623?

CVE-2026-27623 affects lfprojects valkey. Check the full CVE details for specific version information.

How do I fix CVE-2026-27623?

To remediate CVE-2026-27623, check for security patches from lfprojects. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-27623

High

|7.5

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker with network access to the Valkey database can send a specially crafted request that causes the system to crash, disrupting service. This vulnerability affects versions 9.0.0 to 9.0.2, so it's crucial to upgrade to version 9.0.3 or ensure that only trusted users can access the system.

Technical Description

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,053($1K-$5K)

Vendor Response

Grade APatched in 1 day

Quick Information

Published

Feb 23, 2026

about 1 month ago

Last Modified

Feb 25, 2026

about 1 month ago

Vendor

lfprojects

Product

valkey

Related Vulnerabilities

CVE-2026-21863High

An attacker with access to the Valkey database's clusterbus port can send a specially crafted packet that may crash the system, disrupting service. To exploit this vulnerability, the attacker must already have access to the clusterbus, so it's crucial to restrict access with proper network controls.

CVE-2025-67733High

This vulnerability allows a malicious user to inject harmful data into the responses sent to clients, which can corrupt or alter the information other users receive on the same connection. It affects specific versions of the Valkey database, and the issue arises from improper handling of errors in scripting commands.

CVE-2025-66416High

An attacker can exploit a flaw in the MCP Python SDK to send unauthorized requests to a local server running without authentication, potentially accessing sensitive resources or executing commands on behalf of the user. This vulnerability occurs only if the server is set up on localhost without proper security measures, making it critical to avoid running such servers without authentication.

CVE-2025-66414High

An attacker can exploit this vulnerability to send unauthorized requests to a local MCP server running on a user's machine, potentially accessing sensitive resources or tools. This can happen if the server is running without authentication on localhost and does not have DNS rebinding protection enabled, which is a risky setup that should be avoided.