Couchbase’s mission is to be the data platform that revolutionizes digital innovation. Powering business-critical applications means enterprise-level security is essential for our customers. Given the dynamic nature of security, Couchbase regularly reviews and updates security policies and programs based on the evolution of our products, industry standards, and emerging threats.

Couchbase security program

Couchbase integrates security into our engineering processes with the goal of making our products as secure as possible. We make every effort to look at security during the design, development, and testing of the Couchbase Enterprise Edition.

Enabling security best practices

This security program is focused on giving Couchbase Enterprise Edition the features needed for developers to build secure applications that remain secure in operation. It covers deployment best practices such as authentication, authorization, and encryption as well as helping developers prevent "N1QL injection" attacks.

Vulnerability reporting

This program covers transparent vulnerability reporting and status for the Couchbase Enterprise Edition.

Corporate security


We’re focused on reducing the likelihood of data breaches for Couchbase internal IT systems through physical or electronic means as well as keeping our security policies up to date.

Last updated 21 May 2018.

Security Best Practices with Couchbase

Couchbase provides standard security and enterprise features, which allow you to build security into your applications. Those features include:

Role-based access control (RBAC)

Control privileges to both administrative activities and data access with fine-grained access control.

External authentication

Integrate Couchbase into your existing security infrastructure with LDAP, PAM, and pluggable authentication support.

SDK/Driver features

The Couchbase SDKs provide safe programming paradigms through secure connections, encryption, and parameterized N1QL query support to help prevent attacks like N1QL injection.

Encryption on the wire

Protect data as it’s sent from clients to a cluster or when it’s transferred between clusters so that it cannot be intercepted and stolen.

Encryption at rest

Secure data at rest with complete application transparency using preferred encryption capabilities that prevent unauthorized data access.


Track all user activity in a cluster, including login attempts so data breach attempts, can be identified and stopped.

Core to edge security

Security in Couchbase covers all products whether deployed on mobile and embedded devices or in the datacenter.

Regulation compliance support

Couchbase delivers key features needed to support regulations such as PCI DSS, HIPAA, and GDPR.

Corporate Security

The Couchbase Enterprise Edition (Couchbase Server, Couchbase Sync Gateway, Couchbase Lite) is provided to customers as a software bundle to be self-deployed by customers on their choice of hardware or cloud platform. As such, Couchbase and its employees do not have direct access to the data a customer has stored in Couchbase or to any production customer systems. In the course of offering support and services it may be necessary for Couchbase employees to have limited access or visibility to customer production systems or technical log files that we will ask our customers permission for.

Physical security

Couchbase maintains small engineering datacenters co-located with developers for use in product development and testing. The datacenters are secured by a physical key, electronic access key, and/or biometric access reader. Electronic access is logged and monitored at all entry points, with elevated/second access required for datacenters. A video camera records motion and access to the Couchbase datacenter located at Couchbase headquarters. An alarm system is installed at all on-premises datacenters and Couchbase headquarters. Couchbase headquarters is protected by a security station with security personnel at the front desk lobby. Key fob security badges are required for building access and elevator floor access during non-business hours at Couchbase headquarters. Key fob security badges are surrendered and deactivated upon employee termination.

System security

Couchbase enforces the rule of least privilege for IT systems. Access to designated systems is limited to those personnel for whom access is required based on job function. Data on Couchbase customers is restricted to individuals who require system access to perform job functions. Access to all systems is deleted or suspended upon termination of employment. Secure transfer protocols (SFTP, SSH, etc.) are used to transfer data from one system endpoint to another.

Endpoint device security

Employee computers are password protected and the default configuration for such devices causes the devices to be automatically locked after 10 minutes of inactivity. All employee computers are installed with antivirus/malware software. Employees are provided with a tool to backup/sync company data to enterprise cloud storage. Each employee receives a laptop computer with an assigned unique company asset tag for identification. Couchbase employees are required to contact IT in the event of laptop theft or loss.

Breach notifications

Couchbase will notify customers of any security breach which involved their data as soon as possible after Couchbase becomes aware of it. This applies to information stored in its own systems as well as the systems of its vendors.

Vulnerability Handling

Code scanning and vulnerability monitoring

With every release, Couchbase catalogs all the libraries used in the source code, and performs vulnerability scans to match for publicly known vulnerabilities. Developer code undergoes peer review prior to commit in GitHub, and additional third-party security validators periodically analyze code for vulnerabilities. Couchbase also actively monitors changes and updates to the U.S. National Vulnerability Databases and US-CERT. Any vulnerabilities potentially affecting Couchbase products are marked for the development team to investigate and review as per the CVSS v3 standard, and if applicable, patches are created.

Reporting a security vulnerability

If you believe you have discovered a vulnerability, or have otherwise experienced a security problem related to Couchbase, please report this to us. If you are a Couchbase customer, you can open a support ticket to report a vulnerability. If you are not a customer, you can send an email to

Reporting an issue

To report an issue, please either submit a request or open a JIRA issue. Each procedure associates the issue with an identification number; which can be used for tracking purposes.

Providing information

All vulnerability reports should contain as much information as possible, to assist our engineers in investigating the issue. In particular, if possible, please provide Common Vulnerability information. This includes:

  • A CVSS (Common Vulnerability Scoring System) Score
  • A CVE (Common Vulnerability and Exposures) Identifier
  • Your contact information, including an email address and phone number
Restricting disclosure

Couchbase, Inc. requests that you do not publicly disclose information regarding the reported vulnerability until Couchbase has had the opportunity to analyze and respond to the report, and duly notify key users, customers, and partners.


The amount of time required to validate and resolve a reported vulnerability depends on the complexity and severity of the issue and on the possible presence of third-party dependencies. Couchbase takes all reports seriously, prioritizes their investigation, and publicizes confirmed vulnerabilities in the announcement forum and on the support knowledge base.

Enterprise Security Alerts

CVE Synopsis Impact (CVSS) Products Affects Version Fix Version Publish Date

An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files.

Take care to manually redact any logs exported from the cluster on versions affected by this issue. Upgrading the cluster will automatically prevent the @ns_server password appearing in future log entries.

9.6 Couchbase Server Server
March 2021

Exposed Erlang cookie could lead to Remote Command Execution (RCE) attack

Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS-level commands on the system running the Erlang node.

Recognition: Ofir Hamam, security researcher at EY Israel’s Advanced Security Center

8.0 Couchbase Server Server 6.5.1 Server 6.6.0 August 2020

The Cluster Management and Views endpoints are vulnerable to the "Slowloris" denial-of-service attack as they don't more aggressively terminate slow connections

The Slowloris is a type of denial-of-service attack that allows an attacker to take down a target web endpoint by sending requests that periodically send additional headers and never terminate. Reducing the timeout on receipt of HTTP headers is an effective mitigation of this attack and this is the approach taken in the cluster management and views REST endpoints.

7.5 Couchbase Server
Couchbase Sync Gateway
Server 6.0.3
Server 6.5.0
Sync Gateway < 2.7.
Server 6.5.1
Server 6.0.4
February 2020

FTS UI to upgrade to angular 1.6.9

The Full Text Seach user interface uses AngularJS 1.4.7 for which some known high severity security vulnerabilities exist. These AngularJS libraries have been updated to a more recent version of Angular which has addressed these vulnerabilities.

7.4 Couchbase Server 5.5.5
6.5.0 January 2020

Up until core-io 1.7.11 (and as a result Java SDK 2.7.11), hostname verification on TLS/SSL connections is not enabled and can be a security risk in certain environments

Java 6 (JDK 1.6 - the older SDK baseline version) did not support hostname verification out of the box. Once the SDK moved to Java 7 (Java 1.7) as the baseline, adding support was possible. This happened in jvm-core 1.7.11 (which translates to java-client 2.7.11). It is not possible in earlier versions to manually add it as a workaround, because the facilities to customize it accordingly are not exposed. Note that in order to not break applications that rely on the old behavior, hostname verification is still disabled by default, but can be enabled in the SDK configuration (CouchbaseEnvironment class).


Couchbase Java SDK
Couchbase Spark Connector
Couchbase Kafka Connector
(Connectors depending on Java SDK or Core-IO)
2.7.11 April 2019

Projector and indexer REST endpoints did not require authentication

The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Recognition: Apple Security team

7.6 Couchbase Server 4.0.0
September 2018

Couchbase Server returns a WWW-Authenticate response to unauthenticated requests

The Server REST API responds with { {WWW-Authenticate} } header to unauthenticated requests which allows the user to authenticate via a user / password dialog in a web browser. The problem is that these credentials are cached by the browser which allows a hacker to use CSRF to attack a cluster in the event that an administrator has used their browser to check the results of a REST API request. This behavior can be disabled by using couchbase-cli (couchbase-cli setting-security --set --disable-www-authenticate 1 -c localhost:8091 -u <username> -p <password>). This is not disabled by default as it might break existing tools or scripts.

Recognition: Apple Security Team

6.3 Couchbase Server 6.0.0 6.5.1 April 2020

Port 8092 misses X-XSS protection header

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers are now included in responses from the Couchbase Server Views REST API (port 8092).


Couchbase Server 5.5.0
6.0.2 March 2019

Prevent N1QL injection in Sync Gateway via _all_docs startkey, endkey

An attacker with access to the Sync Gateway's public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication, and external access to this REST endpoint has been blocked to mitigate this issue.

Recognition: Denis Werner/HiSolutions AG

Couchbase Sync Gateway 2.1.2 2.5.0
February 2019

Memcached "connections" stat block command emits non-redacted username

The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy.

This has been fixed so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.

Couchbase Server 6.0.0
January 2019

Eventing debug endpoint must enforce authentication

The eventing service exposes a system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied and now requires valid credentials to access.

Couchbase Server 6.0.0
6.0.1 December 2018

The /diag/eval endpoint is not locked down to localhost

Couchbase Server exposed the '/diag/eval' endpoint, which, by default, is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase.

Recognition: Apple Security Team

Couchbase Server 4.0.0
October 2018

Erlang cookie uses a weak random seed

The cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system.

Recognition:  Apple Security team

Couchbase Server 5.1.1 6.0.0 September 2018

JSON doc with >3k '\t' chars crashes indexer

Secondary indexing encodes the entries to be indexed using collatejson. When index entries contained certain characters like \t, <, >, it caused a buffer overrun as the encoded string would be much larger than accounted for, causing the indexer service to crash and restart. This has been remedied now to ensure the buffer always grows as needed for any input.

Recognition:  D-Trust GmbH

Couchbase Server 4.6.3
August 2018

XDCR does not validate a remote cluster certificate

When an invalid remote cluster certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate.

Couchbase Server 5.0.0 5.5.0 June 2018

Editing bucket settings in Couchbase Server allows authentication without credentials

In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed.

Couchbase Server 5.0.0 5.1.0
December 2017