🟠High  | Source: The Hacker News
A critical remote code execution vulnerability (CVE-2026-23479) in Redis, introduced in version 7.2.0 over two years ago, has been patched following discovery by an autonomous AI-powered bug-hunting tool. The flaw is a use-after-free bug in Redis’s blocking-client handling code, allowing any authenticated user to execute arbitrary operating system commands on the host server. This is significant because Redis is widely deployed across cloud environments as a caching and data store layer, meaning exposure could lead to full host compromise.
Architect’s Take: Prioritise patching all Redis instances to the May 5 fixed release immediately, paying particular attention to managed Redis services (AWS ElastiCache, Azure Cache for Redis, GCP Memorystore) and self-hosted deployments — check with your vendors for patch availability. In the interim, enforce network segmentation and strict authentication controls to limit which services and users can reach Redis endpoints, reducing the authenticated-user attack surface.
Original advisory: Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)