--- title: "Security bulletins" description: "Aerospike Database security bulletins disclosing vulnerabilities and available fixes" --- # Security bulletins > For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt) > > All documentation pages available in markdown. Aerospike publishes security bulletins to disclose vulnerabilities found in Aerospike Database and inform customers about risks that may be present in their environments. Bulletins are published when fixes are available in affected releases. Each bulletin includes the vulnerability type, severity, a description of the issue and its impact, and available mitigations or fixes. | Bulletin | Type | Severity | CVE | Subject | Fixed in | | --- | --- | --- | --- | --- | --- | | [AS-2026-008](#as-2026-008) | Filter Bypass | Medium | CVE-2026-55753 | CDT filter expression validation bypass for list and map values | 7.2.0.20, 8.0.0.18, 8.1.2.3 | | [AS-2026-007](#as-2026-007) | Memory Leak | Medium | CVE-2026-55749 | Memory leak in proxy target when receiving malformed or oversized requests | 5.7.0.33, 7.2.0.20, 8.0.0.18, 8.1.2.3 | | [AS-2026-006](#as-2026-006) | Out-of-Bounds Read | Medium | _CVE-2026-PENDING_ | Out-of-bounds read in msgpack integer comparison causes crash | 5.7.0.33, 7.2.0.20, 8.0.0.18, 8.1.2.3 | | [AS-2026-005](#as-2026-005) | Sandbox Escape | Critical | CVE-2026-55756 | Lua UDF sandbox escape allows arbitrary OS command execution | 5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2 | | [AS-2026-004](#as-2026-004) | Integer Overflow | High | CVE-2026-55754 | Integer overflow in msgpack parser and compactify accepts truncated structures | 5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2 | | [AS-2026-003](#as-2026-003) | Heap Buffer Overflow | Critical | CVE-2026-55755 | Heap buffer overflow in batch write parsing allows remote code execution | 5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2 | | [AS-2026-002](#as-2026-002) | Integer Overflow | High | _CVE-2026-PENDING_ | Integer overflow in msgpack size calculator accepts truncated structures | 5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2 | | [AS-2026-001](#as-2026-001) | Path Traversal | High | CVE-2026-55702, CVE-2026-55757, _CVE-2026-PENDING_ | UDF filename path traversal allows arbitrary file read, write, and delete | 5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2 | ## AS-2026-008 **AER-6930  ·  Filter Bypass  ·  Medium  ·  CVE-2026-55753** List and map values embedded in CDT filter expressions bypassed the expression validator. A client able to issue filter expression queries could supply malformed CDT values that the server processed without validation, leading to undefined behavior in downstream CDT evaluation. ### Conditions - Versions 5.6.0 and later - Reachable via any operation that evaluates CDT filter expressions containing list or map values - No elevated privileges required beyond the ability to issue read or write operations ### Fix Added validation to reject list and map values in filter expressions that previously passed through the expression validator unchecked. Fixed in: **7.2.0.20, 8.0.0.18, 8.1.2.3** ### Workaround None known. --- ## AS-2026-007 **AER-6926  ·  Memory Leak  ·  Medium  ·  CVE-2026-55749** When a node acting as a proxy target received malformed or oversized requests, allocated memory was not released, causing a gradual memory leak. A client or peer node able to send repeated malformed requests could exhaust server memory. ### Conditions - Versions 3.9.0 and later - Triggered by malformed or oversized requests forwarded to a proxy target node - Reachable via any client transaction that is proxied to another node ### Fix Fixed the memory management path in the proxy target to release allocated buffers when malformed or oversized requests are encountered. Fixed in: **5.7.0.33, 7.2.0.20, 8.0.0.18, 8.1.2.3** ### Workaround None known. --- ## AS-2026-006 **AER-6925  ·  Out-of-Bounds Read  ·  Medium  ·  _CVE-2026-PENDING_** A rare out-of-bounds read in the msgpack integer comparison path could cause the server to crash. The issue was triggered by certain CDT operations that compared msgpack-encoded integer values. ### Conditions - Versions 4.9.0 and later - Triggered by CDT operations that compare msgpack integer values in specific edge-case encodings - No elevated privileges required beyond the ability to issue CDT operations ### Fix Added bounds checking in the msgpack integer comparison path to prevent the out-of-bounds read. Fixed in: **5.7.0.33, 7.2.0.20, 8.0.0.18, 8.1.2.3** ### Workaround None known. --- ## AS-2026-005 **AER-6914  ·  Sandbox Escape  ·  Critical  ·  CVE-2026-55756** A user with UDF admin privileges can register a Lua UDF that calls `os.execute()`, `io.popen()`, or other dangerous standard library functions to execute arbitrary OS commands as the Aerospike process user. ### Conditions - All versions since UDFs were introduced (3.1.3 and later) - Requires `PERM_UDF_ADMIN` privilege - Any deployment using Lua UDFs ### Fix Added [`allow-unsafe-lua`](https://aerospike.com/docs/database/reference/config/#mod-lua__allow-unsafe-lua), a new configuration option which defaults to `false` in affected fixed releases. When unsafe Lua is disabled, the server removes dangerous globals (`os`, `io`, `debug`, `dofile`, `loadfile`, `load`, `loadstring`), clears cached module references in `package.loaded`, drops native-code searchers from `package.searchers`, forces text-only loading to reject bytecode chunks, and rejects `.so` module registration. See [UDF security and sandbox hardening](https://aerospike.com/docs/database/advanced/udf/security) for hardened-mode behavior and the migration checklist. Reported through coordinated disclosure as CALIF-2026-44624. Thanks to Thai Duong and Bruce Dang of [Calif](http://calif.io/) for reporting these vulnerabilities. Fixed in: **5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2** ### Workaround Restrict UDF admin privileges to trusted users only, or [disable UDFs entirely](https://aerospike.com/docs/database/reference/config#service__disable-udf-execution). --- ## AS-2026-004 **AER-6911  ·  Integer Overflow  ·  High  ·  CVE-2026-55754** Crafted msgpack payloads with extremely large list or map element counts cause the server’s msgpack parser and compactify logic to accept truncated structures as complete. This is the same class of defect as AS-2026-002 but on a separate code path used by `msgpack_compactify()`, affecting HLL operations, secondary index creation with CDT context, and query processing. ### Conditions - All versions (3.1.3 and later) - Triggered by crafted msgpack with large map or list sizes (for example, a map32 with 0x80000000 entries or list32 with UINT32\_MAX elements) - Reachable via HLL add and union operations, secondary index creation with CDT context, and query setup ### Fix Applied the same overflow-checked arithmetic used in the size calculator (AS-2026-002) to the parse and compactify path. The server rejects malformed msgpack with an overflow condition. Fixed in: **5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2** ### Workaround None known. --- ## AS-2026-003 **AER-6910  ·  Heap Buffer Overflow  ·  Critical  ·  CVE-2026-55755** A crafted batch write message with an undersized op can crash the server or cause heap memory corruption. Deployments without authentication enabled are vulnerable to unauthenticated remote exploitation. ### Conditions - All versions since batch writes were introduced (3.6.0 and later) - No authentication required if security is disabled - Triggered by a crafted batch write message with an op whose declared size is smaller than the fixed header fields plus the bin name ### Fix Batch op parsing now validates each op’s declared size before advancing, matching the validation already present in the single-record transaction path. Malformed ops are rejected and the batch sub-transaction fails cleanly. Fixed in: **5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2** ### Workaround Enable authentication to prevent unauthenticated access. --- ## AS-2026-002 **AER-6909  ·  Integer Overflow  ·  High  ·  _CVE-2026-PENDING_** Crafted msgpack payloads with extremely large list or map element counts cause the server’s msgpack size calculator to return incorrect sizes. The integer overflow makes a truncated msgpack object appear complete, potentially leading to confused parser state in downstream CDT or expression filter operations. ### Conditions - All versions (3.1.3 and later) - Triggered by crafted msgpack with large map or list sizes (for example, `map_size = 0x80000000`) - Reachable via any operation that processes client-supplied msgpack, including CDT operations, expression filters, and batch operations ### Fix Added overflow-checked arithmetic before incrementing the element count in `msgpack_sz_table()`. The server rejects malformed msgpack with an overflow condition. Fixed in: **5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2** ### Workaround None known. --- ## AS-2026-001 **AER-6907  ·  Path Traversal  ·  High  ·  CVE-2026-55702, CVE-2026-55757, _CVE-2026-PENDING_** UDF info commands (`udf-get`, `udf-put`, `udf-remove`) accepted filenames containing path traversal sequences (`../`, `/`, `\`). An attacker with UDF admin privileges could read, write, or delete arbitrary files relative to the configured UDF user path. Reported through coordinated disclosure as CALIF-2026-28779 (`udf-get` read), CALIF-2026-89231 (`udf-put` write), CALIF-2026-64871 (`udf-remove` delete). Thanks to Thai Duong and Bruce Dang of [Calif](http://calif.io/) for reporting these vulnerabilities. ### Conditions - All versions with UDF support (3.1.3 and later) - Requires `PERM_UDF_ADMIN` privilege - Triggered by a crafted filename in `udf-get`, `udf-put`, or `udf-remove` info commands ### Fix Added an allowlist-based filename validator that accepts only `[A-Za-z0-9._-$]`, rejects leading dots, and rejects embedded `..` sequences. The validator gates all UDF entry points including SMD ingest and listing. See [UDF security and sandbox hardening](https://aerospike.com/docs/database/advanced/udf/security) for operational rules and cleanup guidance. Fixed in: **5.7.0.32, 7.1.0.25, 7.2.0.19, 8.0.0.17, 8.1.2.2** ### Workaround Restrict UDF admin privileges to trusted users only.