Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years.

The article reports that an autonomous AI tool identified a two-year-old use-after-free vulnerability in Redis (CVE-2026-23479), which allowed authenticated users to execute arbitrary OS commands on servers running affected Redis versions. The flaw existed from Redis 7.2.0 through all stable branches until it was patched on May 5. From a CyberSE.AI perspective, this highlights that AI-driven analysis is now part of the broader software and AI supply chain, both as a powerful defensive capability and as a potential tool that attackers can also leverage to discover and weaponize long-lived RCE bugs in critical infrastructure. Organizations should incorporate AI-originated findings into their SBOM, vulnerability management, and patching workflows, and assess how AI-based code analysis tools are governed, validated, and monitored as part of their AI supply chain risk management.