Scan free
Pending AnalysisCVE-2026-25243

CVE-2026-25243: RCE in Redis 1.0.0 - 8.6.3

Platform

redis

Component

redis

Fixed in

8.6.3

View on NVD
Save

CVE-2026-25243 describes a Remote Code Execution (RCE) vulnerability affecting Redis versions 1.0.0 up to 8.6.3. This vulnerability arises from insufficient validation within the RESTORE command, allowing an authenticated attacker to inject malicious serialized data. Successful exploitation could lead to arbitrary code execution on the Redis server, potentially compromising the entire system. The vulnerability was published on May 5, 2026, and a patch is available in version 8.6.3.

Impact and Attack Scenarios

The impact of CVE-2026-25243 is severe. An attacker who can authenticate to the Redis server and has permission to use the RESTORE command can craft a malicious serialized payload. When this payload is processed by the RESTORE command, it can trigger invalid memory access, ultimately leading to remote code execution. This allows the attacker to execute arbitrary commands on the Redis server with the privileges of the Redis process. The blast radius extends to any data stored within Redis, as an attacker could potentially read, modify, or delete sensitive information. This vulnerability shares similarities with other deserialization vulnerabilities where crafted input can bypass security checks and lead to code execution. Successful exploitation could lead to complete system compromise, data breaches, and denial of service.

Exploitation Context

The exploitation context for CVE-2026-25243 is currently unclear, with no public exploits or active campaigns reported as of the publication date. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) and has a pending EPSS (Exploit Prediction Scoring System) score, indicating an unknown probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts. Refer to the official Redis security advisory for further details.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
NextGuard10–15% still vulnerable

EPSS

0.09% (26% percentile)

Affected Software

Componentredis
Vendorredis
Minimum version1.0.0
Maximum version< 8.6.3
Fixed in8.6.3

Weakness Classification (CWE)

CWE-122

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-25243 is to upgrade to Redis version 8.6.3 or later, which contains the fix. If immediate upgrading is not possible, a critical workaround is to restrict access to the RESTORE command using Access Control Lists (ACLs). Configure ACL rules to deny unauthorized users or applications from executing the RESTORE command. This significantly reduces the attack surface. Consider implementing network segmentation to limit access to the Redis server from untrusted networks. Regularly review and audit Redis configuration and ACL rules to ensure they are properly configured and enforced. After upgrading, confirm the fix by attempting a RESTORE command with a known malicious payload – it should be rejected due to the updated validation logic.

How to fix

Para mitigar este riesgo, actualice a la versión 8.6.3 o posterior de Redis.  Si no es posible actualizar inmediatamente, restrinja el acceso al comando RESTORE utilizando reglas de control de acceso (ACL) para evitar que atacantes no autorizados exploten la vulnerabilidad.  Consulte la documentación de Redis para obtener más detalles sobre la configuración de ACL.

Frequently asked questions

What is CVE-2026-25243 — RCE in Redis?

CVE-2026-25243 is a Remote Code Execution vulnerability in Redis versions 1.0.0 through 8.6.3. An attacker can exploit it by crafting a malicious payload for the RESTORE command, potentially gaining control of the server.

Am I affected by CVE-2026-25243 in Redis?

You are affected if you are running Redis versions 1.0.0 through 8.6.3. Check your Redis version using redis-cli info | grep version. If you're using a version within this range, you need to take action.

How do I fix CVE-2026-25243 in Redis?

The recommended fix is to upgrade to Redis version 8.6.3 or later. As a temporary workaround, restrict access to the RESTORE command using ACLs.

Is CVE-2026-25243 being actively exploited?

As of the publication date, there are no reports of active exploitation. However, it's crucial to apply the patch or workaround promptly to mitigate the risk.

Where can I find the official Redis advisory for CVE-2026-25243?

Refer to the official Redis security advisory, which can be found on the Redis website or through your preferred security information source. Search for 'Redis security advisory CVE-2026-25243'.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...