Yugabytedb
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Yugabytedb.
By the Year
In 2026 there have been 0 vulnerabilities in Yugabytedb. Last year, in 2025 Yugabytedb had 3 security vulnerabilities published. Right now, Yugabytedb is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 0.00 |
| 2024 | 1 | 0.00 |
| 2023 | 3 | 7.03 |
| 2022 | 1 | 9.80 |
It may take a day or so for new Yugabytedb vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Yugabytedb Security Vulnerabilities
YugabyteDB YCQL Tablet Server DoS via Null Pointer Deref.
CVE-2025-8865
- August 11, 2025
The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service.
YugaByteDB Info Disclosure via Unmasked SAS Token in Backup
CVE-2025-8864
- August 11, 2025
Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs
YugabyteDB Diagnostic Info Sent Over HTTP – SDE Vulnerability
CVE-2025-8863
- August 11, 2025
YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission
Buffer Overflow in YugabyteDB 2.21.1.0 via INSERT INTO param
CVE-2024-41435
- September 03, 2024
YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter.
YugabyteDB XSS via Log Injection
CVE-2023-6002
6.1 - Medium
- November 08, 2023
YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
XSS
YugabyteDB Anywhere Prometheus Metrics Exposure Without Auth
CVE-2023-6001
7.5 - High
- November 08, 2023
Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.
AuthZ
YugabyteDB Anywhere v2.0.0-2.17.3 AuthBreach LoggingLevelController
CVE-2023-4640
7.5 - High
- August 30, 2023
The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
YugabyteDB 2.6.1 LDAP Auth Bypass in YCQL with AD (CVE-2022-37397)
CVE-2022-37397
9.8 - Critical
- August 12, 2022
An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsofts Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Yugabytedb or by Yugabyte? Click the Watch button to subscribe.
