The gist: An autonomous AI vulnerability hunter identified a two-year-old RCE flaw in Redis (CVE-2026-23479) that enabled authenticated attackers to execute code and was only patched on May 5, 2026.
Redis closed a use-after-free bug in its blocking client implementation that allowed authenticated users to execute arbitrary OS commands on the database server. The security flaw (CVE-2026-23479) went undetected since Redis 7.2.0.
The security flaw CVE-2026-23479 was classified as a use-after-free bug in Redis’s blocking client code. It existed since its introduction in Redis 7.2.0 and was present in all stable branches until Redis patched it on May 5, 2026. This meant the flaw remained unnoticed for over two years.
The bug allowed authenticated users to execute arbitrary operating system commands on the server running the Redis instance. This poses a significant risk to all organizations deploying Redis in their critical infrastructures that have not yet updated to patched versions.
What makes this case noteworthy: CVE-2026-23479 was discovered by an autonomous AI tool specifically designed to systematically search for bugs in large codebases. This demonstrates the value of automated analysis tools in identifying vulnerabilities in complex open-source software. CISOs should review their Redis deployments and ensure all instances are updated to versions from May 5, 2026 or later, or have implemented access control measures for blocking client functionality.
Source: thehackernews.com · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.2.9.