Login Sign Up

CVE-2022-24706

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2022-24706 is a critical authentication bypass vulnerability in Apache CouchDB that allows unauthenticated attackers to gain admin privileges on improperly secured default installations. This affects all CouchDB installations prior to version 3.2.2 that haven't been properly hardened according to security recommendations.

💻 Affected Systems

Products:
  • Apache CouchDB
Versions: All versions prior to 3.2.2
Operating Systems: All operating systems running CouchDB
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations that haven't been properly secured according to CouchDB documentation recommendations.

📦 What is this software?

Couchdb by Apache

View all CVEs affecting Couchdb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data theft, and potential lateral movement to other systems.

🟠

Likely Case

Unauthenticated attackers gaining admin access to CouchDB databases, allowing data manipulation, deletion, or exfiltration.

🟢

If Mitigated

Minimal impact if proper network segmentation, firewalls, and authentication are configured as recommended.

🌐 Internet-Facing: HIGH - Default installations exposed to the internet are trivially exploitable without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to CouchDB.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts and detailed technical analysis available. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.2 and later

Vendor Advisory: https://couchdb.apache.org/#cve-2022-24706

Restart Required: Yes

Instructions:

1. Backup CouchDB data and configuration. 2. Stop CouchDB service. 3. Upgrade to CouchDB 3.2.2 or later using your package manager or manual installation. 4. Start CouchDB service. 5. Verify upgrade and test functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Configure firewall rules to restrict access to CouchDB ports (default 5984, 5986) to only trusted IP addresses.

iptables -A INPUT -p tcp --dport 5984 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 5984 -j DROP
iptables -A INPUT -p tcp --dport 5986 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 5986 -j DROP

Enable Authentication

all

Configure CouchDB to require authentication for all operations, following official security hardening guidelines.

curl -X PUT http://localhost:5984/_node/_local/_config/admins/admin -d '"secure_password"'
curl -X PUT http://localhost:5984/_node/_local/_config/chttpd/require_valid_user -d '"true"'

🧯 If You Can't Patch

  • Place CouchDB behind a reverse proxy with authentication (like nginx with HTTP basic auth)
  • Implement network segmentation to isolate CouchDB from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check CouchDB version and attempt unauthenticated admin access: curl -X GET http://couchdb-host:5984/_membership

Check Version:

curl -s http://couchdb-host:5984/ | grep version

Verify Fix Applied:

Verify version is 3.2.2 or later and test that unauthenticated admin access is denied.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated requests to admin endpoints
  • Failed authentication attempts followed by successful admin operations
  • Unusual database creation or modification patterns

Network Indicators:

  • Unusual traffic to CouchDB ports from unexpected sources
  • HTTP requests to /_membership, /_config, or /_nodes without authentication

SIEM Query:

source="couchdb.log" AND (uri_path="/_membership" OR uri_path="/_config" OR uri_path="/_nodes") AND NOT (user!="")

📊 Metadata

CVE ID: CVE-2022-24706
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1188
Published: April 26, 2022
Last Updated: October 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24706, you might also want to check these:

CVE-2025-41672 10.0

This critical vulnerability allows remote unauthenticated attackers to generate valid JWT tokens usi...

Same vulnerability type (CWE-1188)
CVE-2024-2912 10.0

This CVE describes a critical insecure deserialization vulnerability in BentoML that allows remote a...

Same vulnerability type (CWE-1188)
CVE-2024-0001 10.0

A local administrative account intended for initial FlashArray configuration remains active after se...

Same vulnerability type (CWE-1188)