Scan free
Pending AnalysisCVE-2026-25588

CVE-2026-25588: RCE in RedisTimeSeries Module

Platform

redis

Component

redis-server

Fixed in

1.12.14

View on NVD
Save

CVE-2026-25588 is a Remote Code Execution (RCE) vulnerability affecting RedisTimeSeries, a time-series module for Redis. This vulnerability allows an authenticated attacker to execute arbitrary code on a server running the vulnerable module. It impacts versions of RedisTimeSeries prior to 1.12.14, and a patch is available in version 1.12.14.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-25588 allows an attacker to gain complete control over the Redis server. This includes the ability to read, modify, and delete data stored within Redis, as well as execute arbitrary commands on the underlying operating system. The attack leverages the RESTORE command, requiring the attacker to be authenticated but possessing the necessary permissions to execute this command. Given Redis's common use as a caching layer and session store, a successful compromise could lead to widespread data breaches and system takeover. The blast radius extends to any application or service relying on the compromised Redis instance.

Exploitation Context

CVE-2026-25588 is currently not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Public Proof-of-Concept (POC) code is likely to emerge given the RCE nature of the vulnerability. The vulnerability was published on 2026-05-05, and it is advisable to monitor security advisories and threat intelligence feeds for any indications of exploitation campaigns. Refer to the Redis security advisory for further details.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.27% (50% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentredis-server
VendorRedisTimeSeries
Maximum version1.12.14
Fixed in1.12.14

Weakness Classification (CWE)

CWE-122

Timeline

  1. Published
  2. Modified
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-25588 is to upgrade RedisTimeSeries to version 1.12.14 or later. If immediate upgrading is not possible due to compatibility issues or downtime constraints, restrict access to the RESTORE command using Redis Access Control Lists (ACLs). This limits the ability of authenticated users to execute the vulnerable command. Consider implementing network segmentation to isolate Redis instances from untrusted networks. After upgrading, verify the fix by attempting a RESTORE operation with a crafted payload (as described in the vulnerability details) and confirming that it is rejected.

How to fix

Actualice el módulo RedisTimeSeries a la versión 1.12.14 o superior para mitigar la vulnerabilidad. Restrinja el acceso al comando RESTORE con reglas ACL para limitar el impacto potencial en caso de que no pueda actualizar inmediatamente.

Frequently asked questions

What is CVE-2026-25588 — RCE in RedisTimeSeries?

CVE-2026-25588 is a Remote Code Execution vulnerability in RedisTimeSeries versions before 1.12.14. An attacker can exploit crafted RESTORE payloads to execute code on the server. The CVSS score is 8.8 (HIGH).

Am I affected by CVE-2026-25588 in RedisTimeSeries?

You are affected if you are running RedisTimeSeries versions prior to 1.12.14. Check your version using redis-cli --module redisTimeSeries info.

How do I fix CVE-2026-25588 in RedisTimeSeries?

Upgrade to RedisTimeSeries version 1.12.14 or later. As a temporary workaround, restrict access to the RESTORE command using Redis ACLs.

Is CVE-2026-25588 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but the RCE nature of the vulnerability suggests a potential for exploitation. Monitor security advisories for updates.

Where can I find the official Redis advisory for CVE-2026-25588?

Refer to the official Redis security advisory, which can be found on the Redis website or through your preferred security information source. Search for 'Redis Security Advisory CVE-2026-25588'.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...