Back to search

Redis

Redis

See the latest tracked release, confirm when it was published, and subscribe for update emails.

8.8 Current train 8.6 Switch to this train 8.4 Switch to this train 8.2 Switch to this train 8.0 Switch to this train 7.4 Switch to this train 7.2 Switch to this train
Current version
Last checked: 2026-06-03

8.8.0

Release date
May 25, 2026
Security status
3 high-severity CVEs tracked in the last 90 days. Current version not affected.

Source

GitHub API

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
8.8.0 2026-05-25 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-25243 HIGH (8.8) 2026-05-05 Current versionnot affected

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

Affected versions
  • Up to (excluding) 8.6.3
CVE-2026-23631 HIGH (8.1) 2026-05-05 Current versionnot affected

Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.

Affected versions
  • Up to (excluding) 8.6.3
CVE-2026-23479 HIGH (8.8) 2026-05-05 Current versionnot affected

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

Affected versions
  • From (including) 7.2.0 - Up to (excluding) 8.6.3
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice