CVE-2025-46619: LFI Vulnerability Affects Multiple Versions of Couchbase Server for Windows

Couchbase Server, a widely-used NoSQL document database engineered for high-performance, interactive applications, disclosed a serious security flaw. The vulnerability, tracked as CVE-2025-46619 and assigned a CVSS base score of 8.7, affects Windows installations of Couchbase Server and could allow attackers to access sensitive system files through Local File Inclusion (LFI) exploitation.

Couchbase Server is known for its distributed, multi-model architecture, supporting key-value pairs and JSON document storage, and offering SQL-like querying through its N1QL engine. It powers data-intensive applications in real-time, and with its cloud-native Couchbase Capella platform, it’s become a go-to choice for enterprises scaling modern apps.

The LFI vulnerability in Couchbase Server for Windows can be exploited to gain unauthorized access to critical files stored on the underlying system. While the attack requires local access or some form of indirect privilege, its consequences could be significant depending on user context.

“Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow,” according to the advisory.

The following versions are confirmed to be affected:

• 7.6.3, 7.6.2, 7.6.1, 7.6.0
• 7.2.6, 7.2.5, 7.2.4, 7.2.3, 7.2.2, 7.2.1, 7.2.0
• 7.1.x
• 7.0.x
• 6.x
• 5.x
• 4.x
• 3.x
• 2.x

Couchbase has promptly addressed this critical vulnerability by releasing patched versions. To safeguard your Windows-based Couchbase Server deployments, it is imperative to upgrade to one of the following fixed versions as soon as possible:

• 7.6.4
• 7.2.7

Related Posts:

• CVE-2023-43769 (CVSS 9.1): Couchbase Server Privilege Escalation Flaw
• CVE-2023-6989: Shield Security Plugin Hit by Severe LFI Vulnerability, 50,000+ Sites Affect
• 90k+ Users at Risk: Unauthenticated LFI Vulnerability Affects Porto Theme