Recent revelations uncovered five significant vulnerabilities in Redis, potentially exposing Redis Cloud, Redis Software, and all open-source community editions to remote code execution. These security issues, which require authenticated access to exploit, could lead to severe consequences including arbitrary code execution and system compromise.
The advisory highlighting these vulnerabilities was released on May 5, 2026, by Riaz Lakhani as a part of ongoing security efforts by Redis. Among the identified flaws, four were deemed High severity, holding CVSS scores of 7.7, while one was rated Medium with a score of 6.1.
Details of Redis RCE Vulnerabilities
Among the identified vulnerabilities, CVE-2026-23479 is noted as a use-after-free flaw within the unblock client flow. This issue arises when a blocked client is removed while re-executing a command, failing to handle errors appropriately. This can enable an authenticated user to leverage this flaw for remote code execution.
Another significant flaw, CVE-2026-25243, involves the RESTORE command. It allows an authenticated individual to trigger invalid memory access by sending a specially crafted payload, leading to potential arbitrary code execution. Additional vulnerabilities include a double-free variant discovered by researcher Emil Lerner and integer overflow issues identified by Joseph Surin.
Impact on Redis Modules
CVE-2026-25588 and CVE-2026-25589 are closely related vulnerabilities affecting the RESTORE command when used with RedisTimeSeries and RedisBloom modules. These flaws enable attackers to exploit invalid memory access through crafted payloads, posing a threat of remote code execution.
The CVE-2026-23631 vulnerability, rated Medium severity, involves a Lua use-after-free error. This can be triggered through the master-replica synchronization mechanism, affecting Redis replicas with specific configurations. Discovered by researcher Yoni Sherez, it impacts all Redis versions utilizing Lua scripting.
Mitigation and Security Measures
Redis has successfully patched all Cloud deployments, eliminating the need for customer intervention. However, for self-managed environments, it’s crucial to upgrade to the latest fixed versions. These include Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Redis Software impacted versions up to 8.0.6 have fixes available in specified builds.
Organizations are advised to limit network access using firewalls, enforce strong authentication, and enable Redis protected-mode. Adhering to the principle of least privilege for user permissions can also reduce risk. Monitoring for unusual activities and unauthorized access attempts is recommended to detect potential exploitation.
These vulnerabilities were identified through Wiz’s ZeroDay.Cloud platform, showcasing the importance of collaborative security research in safeguarding widely used open-source infrastructure.
