CVE-2023-28858: redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can se
lowvulnerabilityLLM-Specific
security
Summary
CVE-2023-28858 is a bug in redis-py (a Python library for connecting to Redis databases) versions before 4.5.3 where canceling an async command at the wrong moment leaves a connection open and can accidentally send response data from one request to a completely different client, due to an off-by-one error (miscounting by one position in the data stream).
Solution / Mitigation
Update redis-py to version 4.3.6, 4.4.3, or 4.5.3 or later. The patches are available in the official repository at https://github.com/redis/redis-py/ for each version.
Vulnerability Details
CVSS Score
3.7(low)
EPSS (30-day exploit probability)
EPSS: 1.5%
Classification
Attack Type
PII Leakage
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedInference
Taxonomy References
CWE (Weakness Type)
Affected Vendors
OpenAI
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-28858
First tracked: February 15, 2026 at 08:50 PM
Classified by LLM (prompt v3) · confidence: 85%