A use-after-free vulnerability in Redis (CVE-2026-23479) allows an authenticated user to execute arbitrary operating system commands on the host machine. Present in every stable Redis branch since version 7.2.0, the flaw went undetected for over two years before being discovered by an autonomous AI-powered code analysis tool. Because Redis is widely deployed as a caching and session layer in cloud environments, successful exploitation could lead to full host compromise.

Architect’s Take: Patch Redis to the May 5 release immediately across all environments — prioritise internet-adjacent or multi-tenant deployments. In the interim, enforce strict network segmentation so that only authorised application services can reach Redis, and audit whether any Redis instances permit external or untrusted client authentication.

Original advisory: Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)