Couchbase Security Vulnerabilities (CVEs)
Track 29 security vulnerabilities affecting Couchbase products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
The Couchbase .NET SDK before version 3.7.1 has a TLS certificate validation vulnerability where hostname verification is disabled by default. This al...
Jun 18, 2025This vulnerability allows users with the security_admin_local role in Couchbase Server to create new users with admin privileges, bypassing intended r...
Jan 27, 2025CVE-2024-37034 is an authentication bypass vulnerability in Couchbase Server where credentials may not be properly negotiated with SCRAM-SHA encryptio...
Jul 26, 2024Unauthenticated attackers can send large commands to Couchbase Server's memcached component, causing memory exhaustion and denial of service. This aff...
Mar 27, 2024CVE-2023-50437 exposes sensitive authentication cookies (otpCookie) to administrators through specific API endpoints in Couchbase Server. This allows ...
Feb 29, 2024CVE-2023-49930 is an improper access control vulnerability in Couchbase Server that allows unauthenticated attackers to execute arbitrary code via cUR...
Feb 29, 2024Couchbase Server 7.1.x and 7.2.x before 7.2.4 exposes sensitive admin statistics and vitals endpoints without authentication on localhost port 8093. T...
Feb 28, 2024This vulnerability allows a remote attacker to exploit heap corruption in Google Chrome's V8 JavaScript engine via a crafted HTML page. Attackers coul...
Jan 16, 2024CVE-2023-36667 is a directory traversal vulnerability in Couchbase Server that allows attackers to access files outside the intended directory. This a...
Nov 8, 2023CVE-2023-45875 is a private key leak vulnerability in Couchbase Server 7.2.0 where sensitive cryptographic keys are exposed in debug.log files when ad...
Nov 8, 2023This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that allows a remote attacker to trigger heap corruption by tricking the ...
Jun 5, 2023This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that could allow a remote attacker to execute arbitrary code or cause hea...
Apr 14, 2023Couchbase Server versions 5 through 7.1.3 expose the nsstats endpoint without requiring authentication. This allows unauthenticated attackers to acces...
Mar 23, 2023CVE-2022-42951 is an authentication bypass vulnerability in Couchbase Server that allows attackers to connect to the cluster manager using default cre...
Feb 6, 2023Couchbase Server versions before 6.6.6, 7.0.5, and 7.1.2 expose sensitive information to unauthorized actors. This vulnerability allows attackers to a...
Feb 6, 2023CVE-2022-32556 is a sensitive information disclosure vulnerability in Couchbase Server where private keys are written to log files during certain cras...
Jul 21, 2022CVE-2022-33173 is an algorithm-downgrade vulnerability in Couchbase Server Analytics Remote Links that temporarily downgrades to non-TLS connections d...
Jul 12, 2022Couchbase Server versions 5.x through 7.x before 7.0.4 expose sensitive information to unauthorized actors. This information disclosure vulnerability ...
Jun 13, 2022CVE-2022-32565 is an information disclosure vulnerability in Couchbase Server where the Backup Service logs contain unredacted usernames and document ...
Jun 13, 2022CVE-2022-32564 is an information disclosure vulnerability in Couchbase Server's couchbase-cli tool where the server-eshell command leaks the Cluster M...
Jun 13, 2022CVE-2022-32558 is a vulnerability in Couchbase Server where sample bucket loading failures can expose internal user passwords. This affects Couchbase ...
Jun 13, 2022CVE-2022-32563 is an authentication bypass vulnerability in Couchbase Sync Gateway that allows unauthenticated users to escalate privileges when X.509...
Jun 10, 2022Couchbase Operator versions 2.2.x before 2.2.3 expose sensitive information like secrets in Kubernetes logs, allowing unauthorized actors to access cr...
Mar 10, 2022CVE-2021-43963 is a privilege escalation vulnerability in Couchbase Sync Gateway where bucket credentials are insecurely stored in sync documents. Use...
Dec 7, 2021CVE-2021-37842 is a cleartext storage vulnerability in Couchbase Server 7.0.0 where sensitive XDCR (Cross Data Center Replication) credentials can be ...
Nov 2, 2021CVE-2021-35943 allows externally managed users in Couchbase Server to authenticate with empty passwords, violating RFC4513 authentication requirements...
Sep 29, 2021CVE-2021-35945 is a buffer overflow vulnerability in Couchbase Server's memcached component that allows remote attackers to crash the service via spec...
Sep 29, 2021CVE-2021-25644 is an information disclosure vulnerability in Couchbase Server where incorrect REST API commands cause authentication credentials to be...
May 19, 2021CVE-2020-24719 is a critical vulnerability in Couchbase Server where the Erlang magic cookie (authentication secret) can be exposed in logs. Attackers...
Nov 12, 2020Why Monitor Couchbase Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 29+ known vulnerabilities affecting Couchbase products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Couchbase packages in under 60 seconds. No agents required - completely agentless scanning that works across Couchbase deployments.
Free vulnerability database: Access detailed information about every Couchbase CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Couchbase CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
