CVE-2022-32563

CVE-2022-32563 affects Couchbase Sync Gateway 3.x before 3.0.2. When configured to authenticate to Couchbase Server with X.509 client certificates, the gateway does not verify admin credentials supplied to the Admin REST API, allowing privilege escalation for unauthenticated users. The issue does...

CVE-2019-9039

The CVE-2019-9039 issue affects Couchbase Sync Gateway 2.1.2, where an attacker with access to the public REST API could inject additional N1QL statements via the startkey/endkey parameters on the _all_docs endpoint. The underlying vulnerability is a N1QL injection that could disclose sensitive d...

CVE-2021-43963

CVE-2021-43963 affects Couchbase Sync Gateway 2.7.0–2.8.2. The bucket credentials used to read/write data were insecurely stored in metadata within Sync Gateway’s bucket sync documents. A user with read access could leverage those credentials to obtain write access to the Couchbase Server. The is...

CVE-2020-9041

The CVE-2020-9041 vulnerability affects Couchbase Server 6.0.3 and Couchbase Sync Gateway up to 2.7.0. The cluster management, views, query, and full-text search endpoints are vulnerable to a Slowloris denial-of-service attack due to insufficient termination of slow connections. Impact is Denial ...

CVE-2025-52490

CVE-2025-52490 affects Couchbase Sync Gateway versions prior to 3.2.6. The issue arises from cleartext passwords appearing in redacted and unredacted output in sgcollect_info_options.log and sync_gateway.log, enabling potential information disclosure. The linked advisories indicate upgrading to a...