CVE-2026-23631: RCE in Redis 0.0.0 - < 8.6.3
Plattform
redis
Komponente
redis
Behoben in
8.6.3
CVE-2026-23631 affects Redis, an in-memory data structure store, impacting systems utilizing the master-replica synchronization mechanism. An authenticated attacker can exploit this mechanism to trigger a use-after-free condition on replicas where replica-read-only is disabled, potentially leading to remote code execution. The vulnerability impacts all versions of Redis prior to 8.6.3, and a patch is available in version 8.6.3.
Auswirkungen und Angriffsszenarien
An attacker who can authenticate to the Redis master server can exploit this vulnerability to gain remote code execution on replicas. The attack involves leveraging the master-replica synchronization process to trigger a use-after-free condition when Lua scripts are executed on replicas with disabled replica-read-only mode. Successful exploitation could allow an attacker to compromise the replica server, potentially leading to data theft, system takeover, or denial of service. The blast radius extends to any application or service relying on the compromised Redis replica.
Ausnutzungskontext
The vulnerability was published on 2026-05-05. Exploitation context is currently unknown, and no public proof-of-concept (POC) code has been released. The vulnerability's severity is pending evaluation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Bedrohungsanalyse
Exploit-Status
EPSS
0.08% (23% Perzentil)
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-23631 is to upgrade to Redis version 8.6.3 or later. If immediate upgrade is not possible, disable Lua script execution on replicas or enable replica-read-only mode. Implement network segmentation to limit the potential impact of a compromise. Monitor Redis logs for unusual activity related to Lua script execution and master-replica synchronization. After upgrade, confirm the fix by attempting to trigger the vulnerability and verifying that no errors or crashes occur.
So behebenwird übersetzt…
Para mitigar este riesgo, actualice a la versión 8.6.3 o posterior de Redis. Alternativamente, desactive la ejecución de scripts Lua o evite el uso de réplicas donde la opción replica-read-only esté deshabilitada.
Häufig gestellte Fragen
Was ist CVE-2026-23631 — Remote Code Execution (RCE) in Redis?
It's a Remote Code Execution (RCE) vulnerability in Redis related to master-replica synchronization and Lua scripting.
Bin ich von CVE-2026-23631 in Redis betroffen?
If you're running Redis versions prior to 8.6.3, you are potentially affected. Upgrade immediately.
Wie behebe ich CVE-2026-23631 in Redis?
Upgrade to Redis version 8.6.3 or later. Disable Lua scripts on replicas or enable replica-read-only as a temporary measure.
Wird CVE-2026-23631 aktiv ausgenutzt?
Currently, there are no public reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Wo finde ich den offiziellen Redis-Hinweis für CVE-2026-23631?
Refer to the Redis security advisory and the NVD entry for CVE-2026-23631 for detailed information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...