CVE-2026-47206
Received Received - Intake
Dragonfly RESP Protocol Injection via Lua redis.error_reply()

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-47206
EUVD
EUVD-2026-39810
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
dragonflydb dragonfly 1.39.9
dragonflydb dragonfly to 1.39.9 (exc)
dragonflydb dragonfly to 1.38.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47206 is a vulnerability in DragonflyDB versions before 1.38.9 where an authenticated user can inject arbitrary RESP (Redis Serialization Protocol) messages into the connection's response stream.

This happens because the EvalSerializer::OnError() function does not sanitize embedded carriage return (\r) and newline (\n) characters in Lua redis.error_reply() results before sending them as RESP protocol messages.

Since CRLF sequences act as RESP frame delimiters, an attacker can craft error strings that split the response into multiple messages, causing response desynchronization in clients using connection pooling.

The vulnerability is fixed by sanitizing these characters before sending the response, preventing injection and desynchronization.

Impact Analysis

This vulnerability can cause response desynchronization in clients that use connection pooling with DragonflyDB.

An attacker who is authenticated can inject crafted RESP messages that disrupt the normal communication protocol, potentially leading to unexpected behavior or errors in applications relying on DragonflyDB.

Until patched, it is advised to avoid using DragonflyDB in multi-tenant environments where multiple users share the same database instance.

Detection Guidance

This vulnerability involves an authenticated user injecting arbitrary RESP messages via Lua scripts using redis.error_reply() with embedded carriage return and newline characters. Detection involves monitoring for unusual or malformed RESP protocol messages that cause response desynchronization in connection-pool clients.

Since the issue arises from crafted Lua EVAL commands that include error replies with CRLF sequences, one way to detect exploitation attempts is to audit or log EVAL commands executed by authenticated users, looking for suspicious error strings containing \r or \n characters.

No explicit detection commands are provided in the resources, but you can attempt to test for the vulnerability by running a crafted EVAL command that tries to inject RESP messages, for example:

  • EVAL "return redis.error_reply('ERR\r\n+INJECTED\r\n')" 0

If the server responds with desynchronized or multiple RESP messages, it indicates the vulnerability is present.

Mitigation Strategies

The primary mitigation is to upgrade DragonflyDB to version 1.38.9 or later, where the vulnerability is fixed by sanitizing embedded CRLF characters in Lua error replies.

Until the patch can be applied, users are advised to avoid using DragonflyDB in multi-tenant environments to reduce the risk of exploitation by authenticated users.

Additionally, restricting or auditing Lua script execution permissions to trusted users can help mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47206. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart