VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 21, 2024· Updated Aug 1, 2024

EventStoreDB Projections Subsystem has potential password leak

CVE-2024-26133

Description

EventStoreDB projections subsystem vulnerability allows password leak from chunk files or system streams; fixed in versions 23.10.1, 22.10.5, 21.10.11, 20.10.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

EventStoreDB projections subsystem vulnerability allows password leak from chunk files or system streams; fixed in versions 23.10.1, 22.10.5, 21.10.11, 20.10.6.

Vulnerability

The vulnerability resides in the projections subsystem of EventStoreDB. Only database instances that use custom projections are affected. Affected versions include 20.x before 20.10.6, 21.x before 21.10.11, 22.x before 22.10.5, and 23.x before 23.10.1 [2].

Exploitation

An attacker with access to chunk files on disk or read access to system streams can potentially obtain user passwords. By default, only users in the $admins group can access system streams [2]. The exploitation requires the ability to read chunk files or have system stream read access.

Impact

Successful exploitation could lead to disclosure of user passwords, compromising confidentiality. The attacker gains access to credentials that may be reused in other systems [2].

Mitigation

Upgrade to fixed versions: 23.10.1, 22.10.5, 21.10.11, 20.10.6 [2]. Additionally, reset passwords for current and previous members of $admins and $ops groups. If a password was reused, reset it elsewhere [2]. If upgrade cannot be done immediately, reset those passwords and avoid creating custom projections until patched [2]. The fix is also documented in commit [4].

References
  1. EventStoreDB Security Release: 23.10, 22.10, 21.10 and 20.10 for CVE-2024-26133
  2. Merge pull request #4162 from EventStore/hayley-jean/update-changelog… · kurrent-io/KurrentDB@6d4edee

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Eventstore/Eventstorellm-fuzzy2 versions
    >=20 <20.10.6, >=21 <21.10.11, >=22 <22.10.5, >=23 <23.10.1+ 1 more
    • (no CPE)range: >=20 <20.10.6, >=21 <21.10.11, >=22 <22.10.5, >=23 <23.10.1
    • (no CPE)range: >= 23.0.0, < 23.10.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The projections subsystem leaks user passwords into chunk files and system streams when custom projections are used."

Attack vector

An attacker who has access to the chunk files on disk, or who has read access to system streams, can retrieve user passwords that were leaked by the projections subsystem. By default, only members of the `$admins` group can access system streams. The vulnerability is triggered when custom projections are used, causing user passwords to become accessible in these locations [ref_id=1].

Affected code

The vulnerability resides in the projections subsystem of EventStoreDB. The advisory states that only database instances using custom projections are affected. No specific function or file names are identified in the provided bundle beyond the general "projections subsystem."

What the fix does

The patch is applied in versions 23.10.1, 22.10.5, 21.10.11, and 20.10.6. The commit shown updates the changelog to note that CVE-2024-26133 is addressed, but the actual code fix is not included in the provided bundle. The advisory recommends upgrading EventStoreDB and resetting passwords for current and previous members of `$admins` and `$ops` groups as remediation [ref_id=1].

Preconditions

  • configThe database instance must use custom projections.
  • inputThe attacker must have access to chunk files on disk or read access to system streams.

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.