EOLCanaryEOLCanary
Back to blog
Redis CVE History: Every Critical Vulnerability Across All Versions
June 17, 2026·EOLCanary Team

Redis CVE History: Every Critical Vulnerability Across All Versions

Redis is the most deployed in-memory data store on the planet. EOLCanary tracks 47 CVEs across all Redis versions. Here is what the data shows.

CVE distribution by Redis version

Redis 6.x is the most affected branch in our database with 18 documented vulnerabilities. Redis 7.x follows with 14 CVEs, while older branches carry 7 or fewer — most of which will never be patched because those versions have been EOL for years.

The two Redis CVEs on the CISA KEV list

Two Redis CVEs appear on the CISA Known Exploited Vulnerabilities catalog, meaning active exploitation in the wild has been confirmed. If your Redis deployment is running a version affected by either of these CVEs, the risk is not hypothetical.

Why Redis 6.x accumulated so many CVEs

Redis 6.0 introduced ACLs, TLS support, and significant changes to the replication protocol — all of which expanded the attack surface considerably compared to Redis 5.x. The combination of new features and a four-year support window meant four years of CVE accumulation against a single branch.

The licensing change and its security implications

In March 2024, Redis Ltd changed the license from BSD to SSPL, leading to the Valkey fork maintained by the Linux Foundation. Teams evaluating migration from Redis 6.x must now choose between Redis 7.x and Valkey. Both receive active security patches. Both are preferable to running Redis 6.x.

EPSS scores on active Redis CVEs

Several Redis 7.x CVEs carry EPSS scores above 0.5 — meaning greater than 50% probability of active exploitation within 30 days of discovery. These justify immediate patching, not scheduled maintenance windows.

Recommended migration path

Redis 6.x → Redis 7.4 (current stable) or Valkey 8.x. Both support the same wire protocol, making the migration largely a configuration change. Redis 7.0 itself reaches EOL in December 2026, making 7.2 or 7.4 the correct targets for teams doing this migration today.

Track all Redis CVEs and EOL dates on the Redis EOL page on EOLCanary.

© 2026 EOLCanary — Data from endoflife.date & NVD
Explore