Redis has disclosed and patched five security vulnerabilities: four rated High (CVSS 7.7) and one rated Medium (CVSS 6.1), all of which could enable remote code execution by authenticated attackers. Administrators running self-managed Redis Software or Open Source/Community Edition (OSS/CE) deployments are urged to upgrade immediately.
On May 5, 2026, Redis published a comprehensive security advisory detailing five vulnerabilities that were proactively identified in the Redis server, its Lua scripting engine, and associated modules, including RedisTimeSeries and RedisBloom. The disclosures are directly linked to findings made at the Wiz ZeroDay.
Cloud live hacking event, where independent researchers competed to identify zero-days in the world’s most deployed cloud databases, including Redis, PostgreSQL, and MariaDB, earning $320,000 in rewards with an 85% success rate across all live hacking attempts. Redis Cloud customers have already been automatically patched, so no action is required on their part.
The Five Vulnerabilities Explained
This vulnerability affects Redis versions 7.2.0 through 8.6.3 and stems from a flaw in how the unblock client flow handles error returns from processCommandAndResetClient when re-executing a blocked command.
When a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free (UAF) vulnerability. This CWE-416 weakness may lead to full remote code execution. The vulnerability was reported by Team Xint Code (Tim Becker, Jacob Newman, and Juno IM) during the Wiz ZeroDay.Cloud event.
A critical input-validation gap in the Redis RESTORE command allows any authenticated user with permission to execute the command to supply a specially crafted serialized payload that triggers invalid memory access.
This CWE-20 (Improper Input Validation) flaw affects all versions of redis-server up to and including 8.6.3, and successful exploitation grants arbitrary code execution in the context of the Redis server process, potentially resulting in full system compromise, data exfiltration, or service disruption.
The vulnerability was independently reported by researcher Emil Lerner (Redis double-free vector) and Joseph Surin (integer overflow and out-of-bounds read in VectorSets).
When the RESTORE command is executed on a Redis server with the RedisTimeSeries module loaded, a crafted serialized payload can trigger invalid memory access due to insufficient validation within the module.
This vulnerability affects all RedisTimeSeries versions before 1.12.14, as well as all impacted Redis OSS/CE and Software versions. It was discovered by the independent research team “Skateboarding Dog”: Joseph Surin, John Stephenson, and Annie Nie during the Wiz ZeroDay.Cloud event.
Similar in nature to CVE-2026-25588, this flaw resides in the RedisBloom probabilistic data structures module, where malformed payloads trigger out-of-bounds reads/writes, integer overflows, and heap buffer overflows.
All RedisBloom versions before 2.8.20 are affected. The vulnerabilities were discovered by researchers Daniel Firer and Joseph Surin, who identified multiple memory corruption primitives within the module.
Identified by independent researcher Yoni Sherez, this medium-severity flaw exists in all Redis versions with Lua scripting. It allows an authenticated attacker to abuse the master-replica synchronization mechanism to trigger a use-after-free condition.
The bug affects only replicas where replica-read-only is disabled or can be disabled, and does not impact the default read-only replica configuration. A workaround is to prevent Lua script execution by users or avoid using replicas with replica-read-only disabled.
All five vulnerabilities are post-authentication attack vectors, requiring valid credentials before exploitation. However, the risk is non-trivial: Redis is deployed in an estimated 75% of cloud environments, and a significant portion, particularly container-based deployments, run without authentication.
An attacker who compromises application-layer credentials can pivot into the Redis layer to trigger RCE, enabling data theft, malware installation, credential harvesting, or lateral movement using stolen IAM tokens. As of the May 5 advisory, Redis has confirmed that there is no evidence of exploitation in the wild.
Affected and Fixed Versions
For Redis OSS/CE, versions 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3 contain fixes for all five CVEs. Redis Software fixed releases include 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.
For modules: RedisTimeSeries v1.12.14, v1.10.24, and v1.8.23 address CVE-2026-25588, and RedisBloom v2.8.20, v2.6.28, and v2.4.23 address CVE-2026-25589. Downloads are available at redis.io/downloads/.
Mitigation
Administrators should take the following immediate steps to reduce exposure before or alongside patching:
- Restrict RESTORE via ACL rules – The documented interim workaround for CVE-2026-25243, CVE-2026-25588, and CVE-2026-25589 is to deny untrusted users from executing the
RESTOREcommand via Redis ACL rules. - Disable Lua scripting where unnecessary – For CVE-2026-23631, turning off Lua scripting removes the attack surface entirely; also, ensure
replica-read-onlyremains enabled on all replicas. - Enforce network segmentation: use firewalls and network policies so only trusted application servers can reach Redis ports, and block all public-facing access.
- Enable strong authentication – Require credentials for all connections and enable
protected-modein CE and OSS deployments. - Monitor for exploitation indicators – Watch for unexplained Redis crashes with Lua-engine stack traces, anomalous ingress/egress network traffic, unknown command execution under the
redis-serveruser, and unauthorized changes to Redis config or data directories.
FAQ
Q1: Are Redis Cloud customers affected by these five CVEs?
No, Redis Cloud deployments have already been automatically patched, and no action is required from customers.
Q2: Do these vulnerabilities require unauthenticated access to exploit?
No, all five CVEs are post-authentication issues; attackers must hold valid Redis credentials before exploitation is possible.
Q3: What is the quickest workaround before patching for the RESTORE command CVEs?
Apply an ACL rule to restrict or deny execution of the RESTORE command for all non-administrative user identities in Redis.
Q4: Which Redis versions contain fixes for all five vulnerabilities?
Redis OSS/CE versions 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3 include patches for all five CVEs.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
