AI News
09 Jun 2026
Read 8 min
How to patch Redis CVE-2026-23479 and prevent RCE
how to patch Redis CVE-2026-23479 by upgrading to patched minors and tightening ACLs to stop RCE now
Need to know how to patch Redis CVE-2026-23479? Upgrade to the fixed minors (7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3), then lock down ACLs, disable Lua if unused, and keep Redis off the public internet. Verify with version checks and privilege audits. The steps below show exactly what to do and how to confirm it worked.
A serious use-after-free bug in Redis allowed an authenticated user to run system commands on the host. It affected Redis 7.2.0 and later until fixes landed on May 5. This guide shows how to patch Redis CVE-2026-23479 safely, reduce attack paths, and check your environment before and after the update.
Check the server version: redis-cli INFO server | grep redis_version
If you see any of these ranges, you must update: 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, 8.6.0–8.6.2
Back up RDB/AOF data and configs before you start.
Upgrade targets: 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3
Linux packages (example):
Docker:
Managed services (Redis Cloud, AWS, Azure, GCP): confirm your plan/version and apply or request the patch. Redis Cloud reports it is already updated.
Run: redis-cli INFO server | grep redis_version and confirm the exact fixed minor.
Spot-check app health and latency after reconnects or failovers.
Is Redis reachable from the internet? If yes, move it behind a firewall/VPC and enable TLS.
Check who can authenticate and from where. Look for shared or default credentials.
Review ACLs:
If any single user has CONFIG, EVAL (Lua), stream commands (XREAD/XADD), and read/write, that user matches the chain’s needs.
The bug is a use-after-free in blocked client handling that can lead to remote code execution after login.
Default users in many setups already have enough rights, which makes abuse easier if credentials leak.
Split duties. Do not let one role hold admin, scripting, and stream access.
In redis.conf:
Reload or restart Redis. This removes a common info-leak and exploit step.
Bind to private addresses only: bind 10.x.x.x or 127.0.0.1
protected-mode yes
Require ACL users with strong passwords or client certs. Prefer TLS for client traffic.
Pin to fixed Redis patch tags (not latest).
Run as a non-root user, drop extra capabilities, and prefer a read-only filesystem where possible.
Keep the base image and libc up to date. Defense-in-depth matters even after the fix.
Version check: ensure the server shows 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3.
ACL audit: verify that default does not hold @admin, CONFIG, or @scripting if not required.
Alert on unexpected EVAL/EVALSHA attempts.
Alert on CONFIG SET outside approved windows.
Look for unusual stream activity (XREAD/XADD bursts) paired with privilege changes.
Rotate widely shared credentials. Replace plaintext passwords in CI/CD or IaC templates.
Internet-exposed or cross-tenant instances
Shared app users with broad rights
Clusters that use Lua and CONFIG
Create separate users for app, batch, and admin tasks.
Block dangerous commands by default and allow only what each role needs.
Document who can re-enable CONFIG or scripting and why.
Fixed releases: 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3
Affected ranges: 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, 8.6.0–8.6.2
This bug lived for two years and was found by an autonomous AI tool, not by code review. Do not wait. If someone asks how to patch Redis CVE-2026-23479, the short answer is: upgrade to the fixed minor now, then strip unneeded rights, disable Lua if unused, and keep Redis private and encrypted.
(Source: https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html)
For more news: Click Here
How to patch Redis CVE-2026-23479 fast
1) Identify your version and plan the window
2) Upgrade to a fixed minor
- Debian/Ubuntu: sudo apt-get update && sudo apt-get install –only-upgrade redis-server
- RHEL/CentOS/Rocky: sudo dnf upgrade redis or sudo yum update redis
- Pull a pinned, fixed image: docker pull redis:8.6.3 (or your series: 7.2.14, 7.4.9, 8.2.6, 8.4.3)
- Recreate containers with the new tag. Avoid floating tags like latest during rollout.
3) Verify the fix
Pre-update risk checks
Find exposure and over-privileged users
- redis-cli ACL LIST
- redis-cli ACL GETUSER default
Understand the flaw (briefly)
Hardening to cut the attack path
Lock down commands and categories
- Create a standard app user with read/write only:
- redis-cli ACL SETUSER app +@read +@write -@admin -@scripting -@dangerous on >app-pass
- Keep CONFIG for a separate ops user only when needed:
- redis-cli ACL SETUSER ops +config +@admin -@scripting on >ops-pass
Disable Lua if you do not use it
- rename-command EVAL “”
- rename-command EVALSHA “”
Network and transport
Container and OS hygiene
How to confirm and monitor after the update
Post-patch validation
Watch for abuse signals
Rollout tips for teams
Prioritize the biggest risks first
Reduce blast radius
Key versions at a glance
FAQ
Q: Which Redis versions are affected by CVE-2026-23479?
A: Affected ranges are 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, and 8.6.0–8.6.2. To learn how to patch Redis CVE-2026-23479, upgrade to the fixed minor for your series.
Q: What are the fixed Redis releases I should upgrade to for CVE-2026-23479?
A: Fixed minor releases are 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Before upgrading, back up RDB/AOF data and configs and then upgrade to the fixed minor for your branch.
Q: How do I apply the patch on Linux, Docker, or managed Redis services?
A: On Debian/Ubuntu run sudo apt-get update && sudo apt-get install –only-upgrade redis-server, and on RHEL/CentOS use sudo dnf upgrade redis or sudo yum update redis; for Docker pull a pinned image such as redis:8.6.3 and recreate containers rather than using floating tags. Managed services require confirming the plan/version and applying or requesting the vendor patch, and these steps explain how to patch Redis CVE-2026-23479 on common platforms.
Q: How can I verify that CVE-2026-23479 has been patched successfully?
A: Run redis-cli INFO server | grep redis_version and confirm the server reports one of the fixed minors (7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3). Also audit ACLs and spot-check application health and latency after reconnects or failovers to verify how to patch Redis CVE-2026-23479 did not cause regressions.
Q: What temporary mitigations reduce risk if I cannot upgrade immediately?
A: Keep Redis off the public internet and behind TLS, tighten ACLs so no single role holds @admin, CONFIG, and @scripting together, and deny @scripting if you do not use Lua. Prioritize internet-exposed instances, rotate broadly shared credentials, and apply these steps while you plan how to patch Redis CVE-2026-23479.
Q: How should I harden ACLs and disable Lua scripting to limit the attack surface?
A: Create separate users with minimal permissions, for example redis-cli ACL SETUSER app +@read +@write -@admin -@scripting -@dangerous on >app-pass and keep CONFIG for an ops user only. If you do not use Lua, disable it by renaming EVAL and EVALSHA in redis.conf (rename-command EVAL “” and rename-command EVALSHA “”) and reload or restart Redis.
Q: How did the CVE-2026-23479 exploit chain work?
A: The flaw is a use-after-free in unblockClientOnKey where processCommandAndResetClient can free the client and the caller continues to access the freed structure, allowing an attacker to leak a heap pointer and replace the freed slot with a fake client. The published chain then abuses memory accounting to perform an out-of-bounds decrement aimed at the Global Offset Table to repoint strcasecmp() at system(), so the next parsed command runs as a shell command.
Q: What post-patch monitoring and alerts should I implement?
A: Alert on unexpected EVAL/EVALSHA attempts, CONFIG SET outside approved windows, and unusual XREAD/XADD stream activity paired with privilege changes. Also perform periodic ACL audits, verify the Redis version remains on a fixed minor, and rotate any widely shared credentials.
Contents
