Redis has disclosed five security vulnerabilities (CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23631) affecting Redis OSS/CE, Redis Software, and Redis Cloud. Four are rated High (CVSS 7.7) and one Medium (CVSS 6.1). The vulnerabilities include use-after-free bugs and invalid memory access issues in the RESTORE command and Lua scripting, all potentially leading to remote code execution by authenticated attackers. Redis Cloud customers are already protected. Self-managed users should upgrade to fixed versions (OSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3) and follow best practices: restrict network access, enforce strong authentication, limit permissions, and keep Redis updated. No evidence of exploitation has been found as of publication.
Table of contents
What are the vulnerabilities?How can you protect your Redis instance?Who gets the credit?Sort: