CVE-2026-23631

UNKNOWN 0.0

redis-server Lua use-after-free may allow remote code execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.

CWE	CWE-416
Vendor	redis
Product	redis
Ecosystems	Database Cache
Industries	Technology
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for redis redis

Be the first to know when new unknown vulnerabilities affecting redis redis are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

redis / redis

< 8.6.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826 github.com: https://github.com/redis/redis/releases/tag/8.6.3