Multiple critical vulnerabilities (CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23631) in Redis products allow remote attackers to cause denial of service, bypass security restrictions, execute remote code, or disclose sensitive information. The CVSS 3.1 score for several of these is 8.8 (HIGH). For Redis OSS, CVE-2026-23479 affects versions 7.2.0 through 8.6.2, and CVE-2026-25243 affects all versions prior to 8.6.3; both are fixed in Redis version 8.6.3, while CVE-2026-25588 in RedisTimeSeries is fixed in version 1.12.14.
Multiple vulnerabilities were identified in Redis Products. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution, sensitive information disclosure and security restriction bypass on the targeted system. Impact Denial of Service Security Restriction Bypass Remote Code Execution Information Disclosure System / Technologies affected For CVE-2026-23479, CVE-2026-25243, CVE-2026-25588 and CVE-2026-25589 All Redis Cloud deployments Redis Software versions up to and including 8.0.6 All Redis OSS/CE releases For CVE-2026-23631 All Redis OSS releases where replica-read-only is disabled Solutions Before installation of the software, please visit the vendor web-site for more details. Apply fixes issued by the vendor: https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/