Critical Redis RCE Vulnerability (CVE-2026-23631) Patched in May 2026
In May 2026, Redis developers addressed a severe post-authentication remote code execution (RCE) vulnerability, tracked as CVE-2026-23631 and dubbed DarkReplica, which enabled attackers to fully compromise affected Redis hosts.
The flaw stemmed from the functions engine, a feature allowing administrators to execute custom Lua logic within Redis. During replication, an authenticated attacker could manipulate a Redis instance into becoming a replica of a malicious master using the SLAVEOF command. When synchronizing, the server would load a new function context from an attacker-controlled RDB (Redis dump) file, triggering a use-after-free condition.
The vulnerability arose from a race condition in Redis’s handling of paused Lua functions. While long-running functions periodically yield to process events, the replication handler could free the active Lua engine and replace it with a new context without preventing the paused function from resuming. This allowed the function to execute with freed memory, creating an exploitable state.
Researchers from ZeroDay.Cloud demonstrated the attack by crafting memory manipulation primitives, including heap address leaks and fake Lua objects, to gain control of the Lua VM. From there, they redirected function pointers to execute arbitrary system commands, achieving full RCE.
The flaw affected multiple Redis release series, including 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x, with patches released on May 5, 2026. Exploitation requires authentication, making misconfigured servers with weak or default credentials the most vulnerable. The incident underscores the risks of complex in-process scripting and replication features, particularly when synchronization and lifecycle management are not tightly controlled.
A technical write-up and proof-of-concept exploit were published, prompting vendors and cloud security tools to issue detection advisories for affected installations.
Source: https://cybersecuritynews.com/redis-rce-vulnerability-server/
Redis cybersecurity rating report: https://www.rankiteo.com/company/redisinc
"id": "RED1780914215",
"linkid": "redisinc",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'name': 'Redis',
'type': 'Database Software'}],
'attack_vector': 'Post-authentication exploitation via SLAVEOF command and '
'malicious RDB file',
'date_publicly_disclosed': '2026-05-05',
'date_resolved': '2026-05-05',
'description': 'In May 2026, Redis developers addressed a severe '
'post-authentication remote code execution (RCE) '
'vulnerability, tracked as CVE-2026-23631 and dubbed '
'DarkReplica, which enabled attackers to fully compromise '
'affected Redis hosts. The flaw stemmed from the functions '
'engine, allowing administrators to execute custom Lua logic '
'within Redis. During replication, an authenticated attacker '
'could manipulate a Redis instance into becoming a replica of '
'a malicious master using the SLAVEOF command. When '
'synchronizing, the server would load a new function context '
'from an attacker-controlled RDB (Redis dump) file, triggering '
'a use-after-free condition due to a race condition in Redis’s '
'handling of paused Lua functions.',
'impact': {'operational_impact': 'Full system compromise',
'systems_affected': 'Redis hosts'},
'lessons_learned': 'The incident underscores the risks of complex in-process '
'scripting and replication features, particularly when '
'synchronization and lifecycle management are not tightly '
'controlled.',
'post_incident_analysis': {'corrective_actions': 'Patches released to address '
'the race condition and '
'improve lifecycle '
'management of Lua engine '
'contexts.',
'root_causes': 'Race condition in Redis’s handling '
'of paused Lua functions during '
'replication, leading to a '
'use-after-free vulnerability.'},
'recommendations': 'Apply Redis security patches immediately; ensure strong '
'authentication for Redis instances; monitor for '
'exploitation attempts.',
'references': [{'source': 'ZeroDay.Cloud'}],
'response': {'communication_strategy': 'Technical write-up and '
'proof-of-concept exploit published; '
'detection advisories issued by '
'vendors and cloud security tools',
'containment_measures': 'Patches released for affected versions',
'remediation_measures': 'Apply Redis security updates (versions '
'7.2.x, 7.4.x, 8.2.x, 8.4.x, 8.6.x)'},
'title': 'Critical Redis RCE Vulnerability (CVE-2026-23631) - DarkReplica',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-23631 (DarkReplica)'}