Redis DarkReplica Vulnerability Can Let Authenticated Attackers Run Code on Host Servers

Redis has patched a remote code execution vulnerability that could let an authenticated attacker gain control of a vulnerable Redis host under specific replica and Lua scripting conditions.

The flaw is tracked as CVE-2026-23631 and has been nicknamed DarkReplica. It affects Redis servers with Lua scripting when an attacker can exploit the master-replica synchronization mechanism against replicas where replica-read-only is disabled or can be disabled.

Redis disclosed the issue in its May 5 security advisory, which covered five vulnerabilities across Redis Software and Redis OSS/CE releases. The GitHub advisory says DarkReplica is a Lua use-after-free issue that may lead to remote code execution.

DarkReplica targets Redis replication and Lua scripting

Redis supports server-side Lua so administrators and applications can run logic directly inside the database. Redis also supports replication, where one server can synchronize data from another server.

DarkReplica sits at the intersection of those features. Researcher Yoni Sherez found that an authenticated attacker could abuse master-replica synchronization while Lua execution is in progress, creating a use-after-free condition inside the Redis Lua engine.

The ZeroDay.Cloud write-up says the attack involves making a target server replicate from an attacker-controlled server, then abusing a logic flaw during synchronization to reach a use-after-free in the Lua functions engine.

Issue	Details
CVE	CVE-2026-23631
Nickname	DarkReplica
Bug class	Use-after-free
Attack type	Post-authentication remote code execution
Affected condition	Redis replicas where replica-read-only is disabled or can be disabled
Official severity	CVSS 6.1 Medium in Redis and GitHub advisory scoring

The vulnerability can lead to host compromise after authentication

The issue does not give unauthenticated attackers direct access to Redis. The attacker first needs authenticated access to the Redis instance, which makes this a post-authentication vulnerability.

However, that still matters. Many Redis deployments sit behind applications, automation tools, cloud services, and internal networks. If credentials are weak, exposed, reused, or stolen, this bug can turn Redis access into code execution on the host.

The NVD entry for CVE-2026-23631 says an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on affected replicas, which may lead to remote code execution.

Why replica-read-only matters

The vulnerable condition depends heavily on Redis replica behavior. Redis says the bug affects replicas configured with replica-read-only disabled, or replicas where that setting can be disabled.

Replica-read-only is an important safety control because replicas should usually serve read traffic, not accept writes or risky state changes. If attackers can change that behavior after authentication, the attack surface increases.

Redis lists two workarounds for organizations that cannot patch immediately: prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. These are temporary risk-reduction steps, not replacements for patching.

• DarkReplica requires authenticated access.
• The attack targets Redis replication behavior.
• The flaw involves Lua scripting and a use-after-free condition.
• Risk is highest when Redis is exposed, weakly authenticated, or misconfigured.
• Redis Cloud customers were already upgraded with fixes, according to Redis.

Redis fixed the issue across maintained releases

Redis patched CVE-2026-23631 on May 5, 2026. The fixed OSS/CE versions include 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.

The Redis 8.6.3 release is marked as a security update, while older maintained release lines also received corresponding fixes.

Organizations should confirm the running Redis version on every self-managed server, container image, appliance, and package-based deployment. They should also check whether Redis modules such as RedisTimeSeries or RedisBloom need separate updates for the other vulnerabilities disclosed in the same advisory.

Redis OSS/CE release line	Fixed version for CVE-2026-23631
6.2.x	6.2.22
7.2.x	7.2.14
7.4.x	7.4.9
8.2.x	8.2.6
8.4.x	8.4.3
8.6.x	8.6.3

DarkReplica came from ZeroDay.Cloud research

Yoni Sherez discovered DarkReplica during the Wiz ZeroDay.Cloud 2025 event. The public analysis explains how the bug appears when replication processing and Lua engine lifecycle handling interact in an unsafe way.

The research describes a complex exploitation path involving memory corruption, Lua internals, and Redis replication behavior. For defenders, the important point is simpler: authenticated Redis access should not be treated as harmless, especially when the server can become or behave like a writable replica.

The Canadian Centre for Cyber Security also issued an advisory on May 5, encouraging users and administrators to review Redis guidance and apply the necessary updates.

Redis says it has no evidence of exploitation

Redis said that, as of publication, it had no evidence of exploitation of the disclosed vulnerabilities in Redis or customer environments. That is useful context, but it should not delay patching.

Public technical details can increase attacker interest after a patch becomes available. Redis deployments also vary widely, with many instances running in containers, managed hosting, internal networks, CI systems, and cloud workloads.

The Redis GitHub advisory lists the issue under CWE-416, use-after-free, and confirms that user interaction is not required once an attacker has the necessary authenticated access.

Detection area	What to review
Redis access	Connections from unknown, unusual, or unauthorized sources
Replication changes	Unexpected master-replica configuration changes
Lua behavior	Crashes or stack traces linked to the Lua engine
Host activity	Unexpected command execution by the redis-server user
Network traffic	Unusual ingress or egress traffic from Redis hosts
File system	Unexpected changes to Redis persistence or configuration directories

How administrators should reduce the risk

The first step is to upgrade Redis to a fixed release. Redis recommends updating self-managed Redis Software, OSS, and CE deployments to the latest available versions.

Administrators should also restrict network access so only trusted systems can reach Redis. Public internet exposure remains one of the most dangerous Redis misconfigurations, especially when authentication or protected mode settings are weak.

The official Redis advisory recommends restricting network access, enforcing strong authentication, limiting permissions, keeping Redis updated, and avoiding configurations that allow unauthenticated access.

• Upgrade Redis OSS/CE to 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3, or a later fixed version.
• Confirm Redis Software deployments run one of the fixed builds listed by Redis.
• Restrict Redis access with firewalls, private networking, security groups, and network policies.
• Enforce strong authentication and rotate Redis credentials after suspected exposure.
• Limit which accounts can run Lua scripts or replication-related commands.
• Keep replica-read-only enabled unless there is a clear and controlled operational need.
• Investigate unexplained Lua crashes, suspicious replication changes, and unexpected host commands.

Teams should check all May 2026 Redis fixes

DarkReplica is not the only Redis issue disclosed on May 5. Redis also fixed CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, and CVE-2026-25589, several of which can also lead to remote code execution after authentication.

The Canadian Cyber Centre advisory notes that Redis published updates for Redis Software and Redis OSS/CE releases on May 5. Administrators should review the entire patch set, not only CVE-2026-23631.

For CVE tracking, the NVD record gives the public vulnerability description, CVSS information, CWE mapping, and references, while the Redis 8.6.3 release page confirms that the branch received security fixes.

The DarkReplica technical analysis shows why complex database features such as scripting and replication need strict lifecycle controls. For most defenders, the safest response is to patch, reduce access, review authentication, and monitor Redis hosts for suspicious behavior.

Redis remains a critical part of many application stacks, so even post-authentication flaws deserve fast action. Once an attacker reaches Redis with valid credentials, the database can become a bridge into the underlying host and the applications that depend on it.

FAQ