Critical Redis RCE Vulnerability (CVE-2026-23631) Allows Full Host Control
A critical post-authentication RCE vulnerability in Redis, dubbed DarkReplica (CVE-2026-23631), has been patched, allowing attackers to gain complete control of host servers.
Redis developers have addressed a critical post-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-23631 and nicknamed DarkReplica. This flaw, discovered during research by ZeroDay.Cloud in 2025, could allow authenticated attackers to achieve complete control over a Redis host server.
The vulnerability resides within Redis's newer functions engine, which is used for storing and synchronizing libraries between database nodes. Exploitation hinges on a complex use-after-free condition that occurs during the replication synchronization process. An attacker must first authenticate to a Redis instance and then use the SLAVEOF command to designate an attacker-controlled server as the master. During the synchronization phase, the vulnerable server may load a new function context from an incoming RDB file.
Researchers detailed how Redis handles long-running Lua functions by periodically yielding control to process events. However, processing replication events while a slow function is paused creates a critical loophole. The replication handler can free the currently running Lua engine and replace it with a new context, but it fails to prevent the paused function from resuming execution. This resumption with freed Lua state and objects leads to the use-after-free condition.
While complex, the exploitation path was demonstrated to be practical. Security researchers developed primitives to leak heap addresses, force deterministic heap allocations, and construct fake Lua objects. By executing the vulnerable code within coroutines and carefully manipulating the Lua memory arena, they were able to regain control of the Lua virtual machine. This allowed them to establish read/write primitives, redirect internal function pointers, and ultimately invoke system commands to achieve full remote code execution on the host server.
The DarkReplica vulnerability impacts multiple maintained Redis release series. Patches were made available on May 5, 2026, for versions including 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x. Administrators are urged to upgrade to the patched versions immediately and to audit any Redis instances exposed to potential threats.
The risk is particularly elevated for Redis instances that are misconfigured with weak or no authentication, or where attackers have already obtained valid credentials. The complexity of the exploit requires a certain level of access and technical skill, making compromised credentials a primary vector.
This incident underscores the inherent security risks associated with complex in-process scripting and replication features. It highlights the critical importance of meticulous synchronization logic and robust lifecycle management for such functionalities within database systems. Users should prioritize updating Redis, enforcing stringent authentication measures, implementing strong network access controls, and actively monitoring for any unauthorized modifications to Redis configurations or behaviors.
Full technical details and exploit code have been published by the researchers. Various vendors and cloud security providers have issued advisories to help organizations detect installations affected by CVE-2026-23631.