Critical Redis Vulnerabilities Let Attackers Execute Remote Code
Key Takeaways Five critical vulnerabilities, including four high-severity flaws, have been identified in Redis, potentially leading to remote code execution (RCE). The flaws affect Redis Cloud, Redis...
Key Takeaways
- Five critical vulnerabilities, including four high-severity flaws, have been identified in Redis, potentially leading to remote code execution (RCE).
- The flaws affect Redis Cloud, Redis Software, and all open-source community editions, allowing authenticated attackers to compromise systems.
- Patches are available for all affected versions of Redis OSS/CE and Redis Software, with Redis Cloud deployments already updated.
- While no active exploitation has been observed, immediate action is urged for self-managed Redis instances.
Five significant security vulnerabilities, four of which carry a “High” severity rating, have been discovered in Redis, the popular open-source, in-memory data structure store. These critical flaws could enable authenticated attackers to achieve remote code execution (RCE), posing a direct threat to the integrity of affected systems running Redis Cloud, Redis Software, and various open-source community editions.
Table Of Content
Although successful exploitation of these vulnerabilities requires authenticated access, the potential consequences are severe, ranging from arbitrary code execution and full system compromise to data exfiltration and service disruption.
The security advisory, published on May 5, 2026, by Riaz Lakhani, forms part of Redis’s ongoing commitment to security. Four of the identified flaws received CVSS scores of 7.7, classifying them as high severity, while one was rated medium severity with a CVSS score of 6.1.
Redis RCE Vulnerabilities Detailed
High-Severity Flaws
CVE-2026-23479 is a use-after-free vulnerability impacting the unblock client flow. This flaw arises when a client, previously blocked, is evicted during the re-execution of a blocked command. The system’s failure to properly handle errors returned by the processCommandAndResetClient function allows an authenticated user to trigger the use-after-free condition, potentially leading to remote code execution.
CVE-2026-25243 targets the Redis RESTORE command. An authenticated user can trigger an invalid memory access by supplying a specially crafted serialized payload. This manipulation could result in arbitrary code execution within the context of the Redis server. Independent researcher Emil Lerner discovered a double-free variant of this issue, while Joseph Surin identified an integer overflow and an out-of-bounds read within VectorSets.
CVE-2026-25588 and CVE-2026-25589 are closely related vulnerabilities affecting the RESTORE command when used in conjunction with the RedisTimeSeries and RedisBloom modules, respectively. Both allow authenticated attackers to trigger invalid memory accesses through malformed serialized payloads, leading to the same critical RCE impact. Joseph Surin, John Stephenson, and Annie Nie are credited with discovering the TimeSeries flaw. Daniel Firer and Joseph Surin identified multiple issues within RedisBloom, including out-of-bounds reads and writes, integer overflow, and heap buffer overflow.
Medium-Severity Flaw
CVE-2026-23631 is a medium-severity use-after-free vulnerability within Redis’s Lua scripting engine. An authenticated user can exploit the master-replica synchronization mechanism to trigger this flaw. It specifically impacts Redis replicas where replica-read-only is disabled and affects all Redis versions with Lua scripting enabled. Researcher Yoni Sherez (@yoyosh__) is credited with its discovery.
Redis Cloud deployments have already been updated to address these vulnerabilities, requiring no action from customers. For organizations managing their own Redis instances, all Redis OSS/CE releases are affected. The following patched versions have been released:
- Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.
- Redis Software versions up to and including 8.0.6 are impacted, with fixes available in builds 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.
- Module-specific fixes include RedisTimeSeries v1.12.14, v1.10.24, v1.8.23, and RedisBloom v2.8.20, v2.6.28, v2.4.23.
Several of these vulnerabilities were identified through Wiz’s ZeroDay.Cloud platform, in collaboration with Redis, highlighting the increasing importance of collaborative research efforts in securing critical open-source infrastructure.
What You Should Do
Redis has confirmed no evidence of active exploitation in the wild as of the publication date. However, organizations operating self-managed Redis instances must take immediate action.
- Upgrade Immediately: The most crucial step is to upgrade all affected Redis instances to the latest fixed releases. Downloads are available at redis.io/downloads.
- Restrict Network Access: Implement strict firewall rules and network policies to limit access to Redis instances to only trusted sources.
- Enforce Strong Authentication: Ensure robust authentication mechanisms are in place across all Redis deployments.
- Enable Protected Mode: For Redis CE and OSS deployments, ensure
protected-moderemains enabled. - Apply Least Privilege: Configure user permissions to adhere to the principle of least privilege, minimizing access to potentially dangerous commands.
- Monitor for Exploitation: Be vigilant for indicators of potential compromise, including unauthorized access attempts, unexplained server crashes (especially with Lua engine stack traces), anomalous command execution by the
redis-serveruser, and unexpected modifications to Redis configuration or persistent files.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.