Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

A use-after-free vulnerability in Redis allows authenticated users to execute arbitrary OS commands on affected servers. The flaw, tracked as CVE-2026-23479, existed in Redis 7.2.0 and all subsequent stable releases for more than two years before detection.

An autonomous AI-powered bug-hunting tool discovered the vulnerability in Redis's blocking-client code. Redis patched the issue on May 5 across affected versions. The flaw requires authentication to exploit, meaning attackers need valid database credentials to trigger remote code execution.

The two-year window between introduction and discovery underscores how complex vulnerabilities can evade human code review in large projects. Redis maintains extensive codebases, and use-after-free bugs often hide in memory management routines that handle edge cases. The blocking-client code path appears to have been overlooked during standard security assessments.

Organizations running Redis 7.2.0 through early stable releases face direct risk. RCE flaws grant attackers full system access on compromised hosts. In cloud deployments, this can lead to lateral movement across infrastructure. In containerized environments, exploited Redis instances become entry points to orchestration systems.

The AI tool's success at finding this flaw signals a shift in vulnerability discovery. Autonomous systems can scan code paths at scale and detect patterns that humans might miss. This approach complements traditional fuzzing and manual review but does not replace them.

Redis users should update immediately to patched releases. Organizations should review their Redis deployment permissions and ensure only trusted applications connect to database instances. Network segmentation between Redis and untrusted systems reduces exposure. Authentication passwords should remain complex and rotated regularly.

The discovery method raises broader questions about why this flaw persisted so long in a widely-used database. Redis benefits from community attention, yet authentication-required flaws sometimes receive lower priority than unauthenticated R