ClickHouse vulnerabilities: known CVEs & security history
ClickHouse · Database · 23 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all ClickHouse release lines — 23 in total. A CVE here doesn't mean your version is affected — check ClickHouse's current status and the safe version to run.
Known ClickHouse CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2019-16535 | critical | 9.8 | 2% | 2019 |
| CVE-2018-14671 | critical | 9.8 | 3% | 2019 |
| CVE-2018-14670 | critical | 9.8 | 2% | 2019 |
| CVE-2019-16536 | high | 8.8 | 1% | 2025 |
| CVE-2021-43305 | high | 8.8 | 2% | 2022 |
| CVE-2021-43304 | high | 8.8 | 2% | 2022 |
| CVE-2018-14668 | high | 8.8 | 1% | 2019 |
| CVE-2021-42388 | high | 8.1 | 2% | 2022 |
| CVE-2021-42387 | high | 8.1 | 2% | 2022 |
| CVE-2024-41436 | high | 7.5 | 1% | 2024 |
| CVE-2022-44010 | high | 7.5 | 1% | 2023 |
| CVE-2018-14669 | high | 7.5 | 2% | 2019 |
| CVE-2023-48704 | high | 7 | 0% | 2023 |
| CVE-2023-47118 | high | 7 | 0% | 2023 |
| CVE-2022-44011 | medium | 6.5 | 1% | 2023 |
| CVE-2021-42391 | medium | 6.5 | 1% | 2022 |
| CVE-2021-42390 | medium | 6.5 | 1% | 2022 |
| CVE-2021-42389 | medium | 6.5 | 1% | 2022 |
| CVE-2019-15024 | medium | 6.5 | 1% | 2019 |
| CVE-2023-48298 | medium | 5.9 | 1% | 2023 |
| CVE-2019-18657 | medium | 5.3 | 1% | 2019 |
| CVE-2018-14672 | medium | 5.3 | 2% | 2019 |
| CVE-2024-22412 | low | 2.4 | 1% | 2024 |
Is my ClickHouse version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your ClickHouse version → · Monitor ClickHouse for new CVEs →
ClickHouse vulnerabilities — frequently asked
How many known vulnerabilities does ClickHouse have?
IsItPatched tracks 23 CVEs for ClickHouse. 3 are critical-severity and 11 high-severity. These span every release line — what matters is whether the version you run is affected.
Does ClickHouse have any actively-exploited vulnerabilities?
None of ClickHouse's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe ClickHouse vulnerability?
Among tracked issues, CVE-2019-16535 (CRITICAL, CVSS 9.8) ranks highest — a Out-of-bounds read weakness.
Is ClickHouse safe to use?
It depends on the version. The latest supported ClickHouse release (26.5.2.39) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: ClickHouse security status · ClickHouse end-of-life · actively-exploited CVEs. Always verify against ClickHouse's advisories — see our disclaimer.