Redis · Redis-Server · CVE-2026-23631
**Name of the Vulnerable Software and Affected Versions**
redis-server versions prior to 8.6.3
**Description**
An authenticated attacker can exploit the master-replica synchronization mechanism in redis-server to trigger a use-after-free condition on replicas where the `replica-read-only` setting is disabled or can be disabled. This issue, which involves the Lua script interpreter, may lead to remote code execution.
**Recommendations**
Update to version 8.6.3.
Prevent users from executing Lua scripts as a temporary workaround.
Avoid using replicas where `replica-read-only` is disabled.