AI Unveils Redis Vulnerability
An autonomous AI tool has identified a significant security flaw in Redis, a popular database management system, that exposes systems to potential remote command execution (RCE). Known as CVE-2026-23479, this vulnerability was introduced in Redis version 7.2.0 and remained unnoticed until recently, when it was patched on May 5. The AI tool, developed to scan large codebases for bugs, discovered the flaw, which allows an authenticated user to execute arbitrary operating system commands on the host machine.
Impact on Cloud Environments
Redis’s widespread use in cloud environments exacerbates the severity of this vulnerability. According to an analysis by Wiz, many Redis instances run without password protection, thus simplifying the exploitation of this flaw. Although an authenticated session is required to exploit the bug, default configurations often grant the necessary privileges, making systems more vulnerable.
The issue resides in the function unblockClientOnKey() within the source code file src/blocked.c. When a key event triggers, this function calls another function that can inadvertently free a client, creating a use-after-free condition. This oversight leads to the potential execution of arbitrary commands, as the function continues to use the now-invalid client pointer.
Technical Breakdown of the Exploit
The vulnerability was introduced through two separate commits made in early 2023. The first commit added an unchecked call, while the second increased client access. Individually, these changes were not harmful, but combined, they allowed the flaw to persist in the general release of Redis 7.2.0. The exploit unfolds in three stages, beginning with a Lua script that leaks a heap address, followed by memory manipulation to insert a fake client, and culminating in the alteration of Redis’s memory accounting to execute a shell command.
The Redis Docker image facilitates exploitation due to its writable Global Offset Table at runtime. This issue persists despite security features like Address Space Layout Randomization (ASLR) and Position Independent Executable (PIE), which do not mitigate the exploit’s effectiveness.
Response and Mitigation Strategies
Redis has urged users to upgrade to the patched versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. These updates are designed to be drop-in replacements. For those unable to patch immediately, Redis recommends keeping the database behind TLS, tightening Access Control Lists (ACLs), and avoiding configurations where a single role holds all critical privileges.
To further reduce risk, especially for internet-exposed instances, users should rotate shared credentials and separate roles that combine CONFIG, scripting, and stream access. The vulnerability, part of a series of recent Redis disclosures, highlights the ongoing need for robust security measures and frequent code reviews to prevent similar issues in the future.
