There’s now another reason an immediate patch is needed for organizations running Valkey clusters, according to Percona (and other database experts.)
In this article, I’ll detail four CVEs affecting your Valkey database. I’ll tell you what they are, why they’re dangerous, and detail, step-by-step, exactly what you should do for your users to avoid seeing a deface page the next time they visit your website.
But first, some background.
What is Valkey, and what’s it used for?
It’s safe to assume that most of you reading this article will know your way around database management systems. And, if so, you’ll also know that not all DBMS’ are built equal. A system considered ‘mainstream’ by one group of developers may not be seen that way by others – and that’s exactly the case with Valkey.
In a way, Valkey is like MySQL or SQL Server – and in other ways, it’s different. According to Valkey themselves, it’s an open-source, high-performance key-value datastore, able to support a wide variety of workloads. These workloads include (but are not limited to), caching, message queues, session storage, real-time analytics, AI and vector workloads, and more.
Valkey is considered a NoSQL database. As such, it solves issues for developers storing flexible structures, including geospatial data, vectors, and anything else that fits into the key-value database category. Valkey is used in industries like gaming, AI systems, and other high-traffic web applications.
Why is Valkey used in these industries?
Valkey is commonly used in these industries because it provides developers with quite a few advantages:
- Low latency
Since Valkey is primarily an in-memory datastore, it stores all of its data in operating memory (RAM), so is able to serve frequently-accessed data from its operating memory. This dramatically reduces load and improves performance. - Massive throughput
Valkey’s infrastructure allows it to process millions of queries per second (depending on specific hardware), which is why it’s used in applications necessitating real-time processing. - Flexible data structures
As a NoSQL database, Valkey supports multiple data structures including lists, streams, geospatial data, vectors, and more. Developers use these capabilities to optimize data storage and access patterns based on their exact use case. - Efficient session management where necessary
Since Valkey supports automation expiration and read/write operations, it’s popular for developers working with user sessions, authentication tokens, and other data. It has built-in support for Time-To-Live (TTL), meaning that data can automatically expire after a given period of time.
For example, running a query like SET session:ID session_data EX 3600 would:
- Create or update a key session:ID (like session:12345…)
- Enable the key to hold the value
session_data. - Set the expiration time to 3600 seconds (1 hour.) After an hour passes, this key would be destroyed.
In this case, if we run a query like SET user:1 “Bob“ on Valkey, it’ll update the key user:1 with the value of Bob. Should the key not already exist, Valkey will create it.
Why does Valkey follow this format?
The reason why Valkey follows such a format is because the “:“ here is a naming convention. It tells Valkey how to interact with the data – for example:
- User:1 is a user with the ID of 1.
- Any name after it means that the key bearing a specific ID would have a string value attached to it (e.g. SET user:1 “Bob“ would affect a key titled user with the ID of 1 and set its string value to “Bob“).
Session:token:431426ca26f246bf692f327bbc0c27e6would be a session token bearing an MD5 hash.
Simple Talk is brought to you by Redgate Software
What is a CVE?
CVEs (Common Vulnerabilities and Exposures) are a way for security researchers (and hackers) to map a security flaw to a standardized and globally-recognized identifier, allowing for easier recognition and triage.
What does a CVE entry look like?
A CVE entry looks like CVE-YEAR-ID. CVE identifies the vulnerability, YEAR is the year the vulnerability was discovered, and ID is a four-digit serial number identifying the security bug.
For example, CVE-2026-6682 would refer to a vulnerability discovered in 2026 with the ID of 6682.
Knowing this is vital, because no one ID is the same. That’s sort of the entire point of having CVEs in the first place – each ID maps to one specific vulnerability.
What are the 4 CVEs affecting Valkey today?
Now for the specific CVEs affecting Valkey. These are:
CVE-2025-67733
CVE-2026-21863
CVE-2026-21864
CVE-2026-27623
In detail:
| CVE ID | About |
| CVE-2025-67733 | Due to code not properly handling NULL characters, a malicious party could use commands to return tampered data to users. |
| CVE-2026-21863 | Certain versions of Valkey may crash due to an attacker sending malformed packets. |
| CVE-2026-21864 | Certain versions of Valkey may be intentionally crashed by an attacker. The flaw could be used as a denial-of-service (DoS) attack vector. |
| CVE-2026-27623 | Certain versions of Valkey may be purposefully crashed by an attacker, the flaw could be used as a DoS attack vector. |
All CVEs except CVE-2026-21864 affect the Valkey server.
CVE-2026-21864, meanwhile, affects portions of pre-packaged Valkey images (Valkey-bloom and Valkey-bundle.) Valkey’s creators have already released new versions that include security patches for these vulnerabilities.
What to do right now
You should upgrade your Valkey installation to a version that isn’t vulnerable to these kinds of attacks.
Upgrade to one of the following:
- Valkey-bloom 1.0.1 or above if you’re using Valkey-bloom.
- Valkey-server 7.2.12 or above if you’re using Valkey Server 7.
- Valkey-server 8.0.7 or 8.1.6 if you’re using Valkey Server 8.
- Valkey-server 9.0.3 or above if you’re running Valkey Server 9.
If you’re not running Valkey at all, these flaws don’t apply to your infrastructure, and you’re safe.
What these 4 CVEs affecting Valkey mean for you
With the CVEs being vulnerable mostly to DoS attacks, any unpatched versions of Valkey could be exploited by hackers. If you’re not running Valkey, you don’t need to worry. If you are, check to see if your version of Valkey is vulnerable to these CVEs or not.
After doing so, keep in mind that database security doesn’t end there. Security for any database (or application) is an ongoing process that requires continuous monitoring, timely patching, and proper best practices. Take a look into the severity rating of one of these CVEs – even DoS-related vulnerabilities are classified as having HIGH severity. This is especially the case for services that depend on Valkey for caching, session storage, rate limiting, or queue management.
The consequences of a successful attack
A successful attack against an exposed or unpatched Valkey deployment, using one or more of the aforementioned CVEs, could lead to degraded application performance, customer unsatisfaction, and data vulnerabilities, among other issues.
In environments where high availability is critical, even a short disruption in service can translate into financial loss, reputation damage, and incident response overhead.
Next steps (and why security is not a ‘one-and-done’ situation)
That’s why you need to continuously educate yourself by attending workshops, conferences, reading books, following security researchers, participating in hands-on labs, and staying up to date with vulnerability disclosures affecting the technologies your organization depends on.
Database and application security is not a static field — attack techniques evolve, and defensive strategies need to evolve alongside them. Black Hat OSINT may be a good starting point for those of you that wonder how your own data is stolen, weaponized, and used against you. Likewise, keeping an eye out for some YouTube videos related to Valkey is a good idea, too.
Protect your data. Demonstrate compliance.
FAQs: The 4 CVEs currently affecting Valkey databases
1. What are the 4 CVEs currently affecting Valkey databases?
4 CVEs affect Valkey right now: CVE-2025-67733, CVE-2026-21863, CVE-2026-21864, and CVE-2026-27623. Three of them are denial-of-service (DoS) vectors, and one allows NULL character exploitation to return tampered data to users.
2. Which versions of Valkey are vulnerable?
Any Valkey server below 7.2.12, 8.0.7, 8.1.6, or 9.0.3 is affected. Valkey-bloom versions below 1.0.1 are also vulnerable via CVE-2026-21864.
3. How do I patch my Valkey installation?
Upgrade to the relevant patched release: Valkey 7 → 7.2.12+, Valkey 8 → 8.0.7 or 8.1.6, Valkey 9 → 9.0.3+, Valkey-bloom → 1.0.1+. Apply the update immediately if your deployment is public-facing.
4. What is CVE-2026-21864 and what does it affect?
Unlike the other three CVEs, CVE-2026-21864 targets pre-packaged Valkey images — specifically Valkey-bloom and Valkey-bundle — rather than the server itself. An attacker can use it to intentionally crash the service as a DoS attack.
5. Am I at risk if I don't use Valkey?
No. These vulnerabilities are specific to Valkey deployments. If your infrastructure does not run Valkey, none of these CVEs apply to you.
6. What's the real-world impact of an unpatched Valkey deployment?
A successful exploit can cause service outages, data integrity issues, financial loss, and reputational damage — especially for apps relying on Valkey for caching, session storage, rate limiting, or queue management.
Load comments