RESP Protocol Injection Vulnerability in Dragonfly Data Store by DragonflyDB
CVE-2026-47206

2.3LOW

Key Information:

Vendor

Dragonflydb

Status
Dragonfly
Vendor
CVE Published:
26 June 2026

What is CVE-2026-47206?

The Dragonfly data store, designed for modern application workloads, is susceptible to a RESP Protocol Injection vulnerability prior to version 1.39.9. This issue allows authenticated users to inject arbitrary RESP messages into the connection's response stream through the Lua redis.error_reply() function in EvalSerializer. Such injections can result in response desynchronization, particularly affecting connection-pool clients. This vulnerability has been addressed in the latest version, 1.39.9, ensuring enhanced security for users.

Affected Version(s)

dragonfly < 1.38.9

References

https://github.com/dragonflydb/dragonfly/security/advisor...
x_refsource_CONFIRM
https://github.com/dragonflydb/dragonfly/issues/7328
x_refsource_MISC
https://github.com/dragonflydb/dragonfly/pull/7332
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.