Critical Redis Flaws Enable Remote Code Execution Attacks

Five critical vulnerabilities have been identified in Redis, directly exposing Redis Cloud, Redis Software, and all open-source community editions. These serious flaws allow authenticated attackers to achieve remote code execution (RCE), offering a direct path to compromise affected systems.

All require authenticated access to exploit, but successful exploitation can lead to arbitrary code execution, full system compromise, data exfiltration, or service disruption.

The advisory, released on May 5, 2026, was published by Riaz Lakhani as part of Redis’s continued security initiatives. Four flaws were rated High severity with CVSS scores of 7.7, while one received a Medium severity score of 6.1.

Redis RCE Vulnerabilities

CVE-2026-23479 is a use-after-free vulnerability in the unblock client flow.

When a blocked client is evicted while re-executing a blocked command, the code fails to handle the error returned by processCommandAndResetClient, allowing an authenticated user to trigger a use-after-free condition and potentially execute remote code.

CVE-2026-25243 affects the Redis RESTORE command. An authenticated user can trigger an invalid memory access by sending a specially crafted serialized payload, potentially leading to arbitrary code execution within the Redis server context.

Independent researcher Emil Lerner discovered the double-free variant, and Joseph Surin identified an integer overflow and out-of-bounds read in VectorSets.

CVE-2026-25588 and CVE-2026-25589 are closely related flaws in the RESTORE command when used with the RedisTimeSeries and RedisBloom modules, respectively.

Both allow authenticated attackers to trigger invalid memory accesses via crafted serialized payloads, resulting in the same RCE impact.

Joseph Surin, John Stephenson, and Annie Nie discovered the TimeSeries flaw; Daniel Firer and Joseph Surin identified multiple RedisBloom issues, including out-of-bounds reads and writes, integer overflow, and heap buffer overflow.

CVE-2026-23631 is a medium-severity Lua use-after-free flaw. An authenticated user can exploit the master-replica synchronization mechanism to trigger the vulnerability.

It specifically affects Redis replicas configured with replica-read-only disabled and exists across all Redis versions with Lua scripting enabled. Researcher Yoni Sherez (@yoyosh__) discovered this flaw.

All Redis Cloud deployments have already been patched with no customer action required. For self-managed deployments, all Redis OSS/CE releases are affected. The following fixed versions have been released:

Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Redis Software versions up to and including 8.0.6 are impacted, with fixes available in builds 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.

Module-specific fixes include RedisTimeSeries v1.12.14, v1.10.24, v1.8.23, and RedisBloom v2.8.20, v2.6.28, v2.4.23.

How to Protect Your Redis Instance

Redis confirms there is no evidence of active exploitation in the wild as of publication.

However, organizations running self-managed instances should act immediately. Key mitigations include:

Upgrading to the latest fixed release is the primary remediation step. Downloads are available at redis.io/downloads.

Beyond patching, administrators should restrict network access using firewalls and network policies to allow only trusted sources.

Strong authentication must be enforced across all instances, and Redis protected-mode should remain enabled in CE and OSS deployments.

User permissions should follow the principle of least privilege, limiting access to potentially dangerous commands.

Indicators of potential exploitation include unauthorized access attempts, unexplained server crashes with Lua engine stack traces, anomalous command execution by the redis-server user, and unexpected changes to Redis configuration or persistent files.

Several vulnerabilities were discovered through Wiz’s ZeroDay.Cloud platform in partnership with Redis.

Reflecting the growing role of collaborative bug bounty and vulnerability research programs in proactively securing widely deployed open-source infrastructure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.