Regulatory Triage ICT Providers

Redis

Databases & Data Platforms

Period: 7d 14d 30d 90d

Open CVEs

Exploited

KEV

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 13 open CVE(s) in the last 14 days. 1 listed in CISA KEV (known exploited). 10 affect internet-facing services. 3 impact the management/identity plane.

1 KEV 1 Exploited 3 Mgmt / Admin Plane 1 Public PoC 10 Internet-facing

Top Risky CVEs

CVE-2026-48172

Act Now

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection is

ICT dependency Active exploitation KEV PoC Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Redis
• Exploited in the wild (CISA KEV)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Redis (Databases & Data Platforms)
• Known exploited vulnerability (KEV)

10.0

CVSS

0.0%

EPSS

120

Priority

CVE-2026-45721

Act Now

Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).

Within 24 hours: inventory all systems running Algernon web server and document versions in use; immediately isolate any Algernon 1.17.6 or earlier instances from production traffic or restrict network access to trusted sources only. Within 7 days: implement file integrity monitoring to detect unauthorized handler.lua file creation in parent directories of the server root; deploy network-based access controls and WAF rules to block suspicious requests to Algernon endpoints. Within 30 days: evaluate alternatives to Algernon or contact vendor for patch timeline; if continued use is necessary, architect defensive layers (authentication gateway, request filtering, strict filesystem permissions) to compensate for the absence of a vendor fix.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-20: Improper Input Validation)
• Third-party ICT: Canonical / Ubuntu, Redis
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
• ICT provider: Redis (Databases & Data Platforms)

9.0

CVSS

0.2%

EPSS

Priority

CVE-2026-45338

This Week

Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.

Within 24 hours: Inventory all Open WebUI deployments and document OAuth configuration status (check ENABLE_OAUTH_SIGNUP and OAUTH_UPDATE_PICTURE_ON_LOGIN settings). Within 7 days: Upgrade all instances to Open WebUI version 0.9.0 or later; if upgrade is not immediately feasible, disable OAuth signup and picture auto-update features via configuration. Within 30 days: Conduct audit of user profile_image_url fields in affected versions for base64-encoded exfiltrated data; review OAuth provider configurations and implement network segmentation to restrict server-initiated outbound HTTP requests to internal resources.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
• Third-party ICT: Docker, Elastic, Redis
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• ICT provider: Elastic (Databases & Data Platforms)
• ICT provider: Redis (Databases & Data Platforms)

7.7

CVSS

0.0%

EPSS

Priority

CVE-2026-45715

This Week

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Within 24 hours: Inventory all Budibase deployments and document current versions; restrict Builder role assignments to trusted personnel only and review recent Builder account activity. Within 7 days: Apply Budibase version 3.38.1 or later immediately to all affected instances; audit REST datasource configurations for suspicious redirect patterns or external server references. Within 30 days: Implement network segmentation to block direct access from Budibase instances to cloud metadata endpoints (169.254.169.254 for AWS, metadata.google.internal for GCP); enable and review audit logs for REST datasource activity.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
• Third-party ICT: Redis
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Redis (Databases & Data Platforms)

7.7

CVSS

0.0%

EPSS

Priority

CVE-2026-33233

This Week

Insecure deserialization in Significant-Gravitas AutoGPT platform versions 0.6.34 through 0.6.51 lets an attacker who can poison entries in the shared Redis cache achieve arbitrary command execution inside the backend container. The backend's read path invokes pickle.loads on cache bytes with no HMAC, signature, or schema gate, so any attacker-controlled value reaching that key becomes code on retrieval. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the vendor shipped a fix in autogpt-platform-beta-v0.6.52.

Within 24 hours: Identify all systems running AutoGPT 0.6.34-0.6.51 and verify network access controls for the Redis instance. Within 7 days: Deploy vendor-released patch (autogpt-platform-beta-v0.6.52) to all affected systems after validation in a staging environment. Within 30 days: Audit backend and Redis logs for unauthorized cache modifications; implement monitoring for suspicious cache write attempts.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-502: Deserialization of Untrusted Data)
• Third-party ICT: Redis
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Redis (Databases & Data Platforms)

7.6

CVSS

0.0%

EPSS

Priority

CVE-2026-46426

This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

24 hours: Identify all Budibase instances and versions in production; immediately restrict file upload permissions to administrative accounts only. 7 days: Audit attachment upload logs for suspicious activity; implement Content Security Policy headers to prevent inline script execution; disable SVG/HTML/JavaScript file uploads if operations permit. 30 days: Monitor for Budibase 3.38.2 release; prepare and execute upgrade to 3.38.2 or later; document new access controls for file upload functionality.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-79: Cross-site Scripting (XSS))
• Third-party ICT: Docker, Redis
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• ICT provider: Redis (Databases & Data Platforms)

7.6

CVSS

0.0%

EPSS

Priority

CVE-2026-45363

This Week

Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.

Within 24 hours: Inventory all Ruby applications using ruby-jwt < 3.2.0 and flag those with empty/nil key patterns for emergency patching. Within 7 days: Upgrade ruby-jwt to version 3.2.0 or later across all affected applications and test in staging environments. Within 30 days: Verify all production deployments are patched to 3.2.0+, eliminate empty/nil key fallback patterns from code, and implement monitoring for token validation failures.

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-287: Improper Authentication)
• Third-party ICT: Redis
• Management plane (Improper Authentication)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Redis (Databases & Data Platforms)
• Authentication / access control weakness

7.4

CVSS

Priority

CVE-2026-45399

This Week

{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Within 24 hours: inventory all Open WebUI instances and document current version numbers; verify administrative access credentials. Within 7 days: apply vendor-released patch to v0.9.0 or later on all affected instances; validate that global task endpoints now restrict to admin-only access. Within 30 days: conduct access control audit of remaining API endpoints; implement network segmentation to limit authenticated user access to task management APIs if upgrade is delayed.

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Redis
• Management plane (Missing Authorization)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Redis (Databases & Data Platforms)
• Authentication / access control weakness

7.1

CVSS

0.0%

EPSS

Priority

CVE-2026-45679

This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

ICT dependency Patched

Why flagged?

6.5

CVSS

Priority

CVE-2026-45709

This Month

{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.

Edge exposure ICT dependency Patched

Why flagged?

5.8

CVSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

Workaround available

No workaround

Affected Services / Product Families

Redis

13 CVE(s)

CVE-2026-45399 HIGH Patched

CVE-2026-45338 HIGH Patched

CVE-2026-45366 MEDIUM Patched

CVE-2026-45715 HIGH Patched

CVE-2026-45363 HIGH Patched

CVE-2026-45679 MEDIUM Patched

CVE-2026-33233 HIGH Patched

CVE-2026-45721 CRITICAL Patched

CVE-2026-45709 MEDIUM Patched

CVE-2026-46424 MEDIUM Patched

+ 3 more

Recommended Actions

Immediately patch or isolate 1 CVE(s) listed in CISA KEV Review WAF/firewall rules for 10 internet-facing CVE(s) Audit authentication and access control for 3 management-plane CVE(s) Track Redis vendor advisories for remediation timeline