PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27623 valkey-io CVE debrief

CVE-2026-27623 is a HIGH severity vulnerability in Valkey, a distributed key-value database. A malicious actor with network access can cause the system to abort by triggering an assertion. The issue arises from the system's improper handling of empty requests, allowing an attacker to send a request that the server incorrectly identifies as breaking server-side invariants, resulting in the server shutting down. This vulnerability affects Valkey versions 9.0.0 to 9.0.2 and is fixed in version 9.0.3. As an additional mitigation, it is recommended to properly isolate Valkey deployments so that only trusted users have access.

Vendor
valkey-io
Product
valkey
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-23
Original CVE updated
2026-06-30
Advisory published
2026-02-23
Advisory updated
2026-06-30

Who should care

Organizations using Valkey versions 9.0.0 to 9.0.2 should be concerned about this vulnerability. The issue allows a malicious actor with network access to cause the system to shut down, potentially leading to denial-of-service attacks. Users of Valkey should update to version 9.0.3 or apply additional mitigations to prevent exploitation.

Technical summary

The vulnerability in Valkey arises from the improper resetting of networking state after processing an empty request. This allows a malicious actor to send a crafted request that the server incorrectly identifies as a threat to server-side invariants, causing the server to shut down. The issue is addressed in Valkey version 9.0.3. The CVSS score for this vulnerability is 7.5, indicating a HIGH severity level. The attack vector is network-based, with low attack complexity and no required privileges or user interaction.

Defensive priority

High priority should be given to updating Valkey to version 9.0.3. Additionally, consider isolating Valkey deployments to limit access to trusted users only.

Recommended defensive actions

  • Update Valkey to version 9.0.3 or later.
  • Isolate Valkey deployments to restrict access to trusted users.
  • Monitor Valkey instances for unusual activity.
  • Review and adjust network access controls to limit exposure.
  • Consider implementing additional security measures to detect and prevent similar attacks.

Evidence notes

The CVE-2026-27623 vulnerability is documented in the NVD database and has a CVSS score of 7.5. The issue is caused by the improper handling of empty requests in Valkey versions 9.0.0 to 9.0.2. The vulnerability can be exploited by a malicious actor with network access, potentially leading to a denial-of-service attack. The fix is included in Valkey version 9.0.3.

Official resources

This article is AI-assisted and based on the supplied source corpus.