From 3bbc17c70ecb4e79b232ff85b49062e944a1aef1 Mon Sep 17 00:00:00 2001
From: Rachel Elledge <86307637+rrelledge@users.noreply.github.com>
Date: Fri, 8 May 2026 17:09:20 -0500
Subject: [PATCH 01/10] RS: Certificate-based authentication for LDAP (#3268)
* DOC-6422 RS: Certificate-based authentication for LDAP
* Added dmc_external fields to cluster object reference
* Added dba fields to LDAP object
* DOC-6422 Feedback updates
---
.../rest-api/objects/cluster/_index.md | 4 +
.../rs/references/rest-api/objects/ldap.md | 3 +
.../ldap/certificate-based-authentication.md | 90 +++++++++++++++++++
3 files changed, 97 insertions(+)
create mode 100644 content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
diff --git a/content/operate/rs/references/rest-api/objects/cluster/_index.md b/content/operate/rs/references/rest-api/objects/cluster/_index.md
index aa45c5700a..fa1c77279e 100644
--- a/content/operate/rs/references/rest-api/objects/cluster/_index.md
+++ b/content/operate/rs/references/rest-api/objects/cluster/_index.md
@@ -38,6 +38,10 @@ An API object that represents the cluster.
| default_non_sharded_proxy_policy | string (default: single) | Default proxy_policy for newly created non-sharded databases' endpoints (read-only) |
| default_sharded_proxy_policy | string (default: all-master-shards) | Default proxy_policy for newly created sharded databases' endpoints (read-only) |
| disconnect_clients_on_password_removal | "enabled"
"disabled"
**"auto"** | This flag controls whether client connections using removed, revoked, or rotated passwords are actively disconnected |
+| dmc_external_authentication | boolean (default: false) | Enable DMC to call the authentication_service for basic authentication |
+| dmc_external_cba_authentication | boolean (default: false) | Enable DMC to call the authentication_service for certificate-based authentication |
+| dmc_external_entraid_authentication | boolean (default: false) | Enable DMC to call the authentication_service for entraid authentication |
+| dmc_external_ldap_authentication | boolean (default: false) | Enable DMC to call the authentication_service for LDAP-based authentication |
| email_alerts | boolean (default: false) | Send node/cluster email alerts (requires valid SMTP and email_from settings) |
| email_from | string | Sender email for automated emails |
| encrypt_pkeys | boolean (default: false) | Enable or turn off encryption of private keys |
diff --git a/content/operate/rs/references/rest-api/objects/ldap.md b/content/operate/rs/references/rest-api/objects/ldap.md
index 6386dbc908..ef506ab137 100644
--- a/content/operate/rs/references/rest-api/objects/ldap.md
+++ b/content/operate/rs/references/rest-api/objects/ldap.md
@@ -18,6 +18,9 @@ An API object that represents the cluster's [LDAP]({{< relref "/operate/rs/secur
| bind_pass | string | Password used when binding with the LDAP server to run queries |
| ca_cert | string | PEM-encoded CA certificate(s) used to validate TLS connections to the LDAP server |
| cache_ttl | integer (default: 300) | Maximum TTL (in seconds) of cached entries |
+| cba | boolean (default: false) | Whether to allow LDAP as an identity source for certificate-based authentication |
+| cba_identity_oid | string | The certificate subject OID to use when `cba_identity_source` is set to `subject_oid` |
+| cba_identity_source | "subject_cn"
"subject_oid" | The certificate subject identity source to use for LDAP lookup |
| control_plane | boolean (default: false) | Use LDAP for user authentication/authorization in the control plane |
| data_plane | boolean (default: false) | Use LDAP for user authentication/authorization in the data plane |
| directory_timeout_s | integer (range: 5-60) (default: 5) | The connection timeout to the LDAP server when authenticating a user, in seconds |
diff --git a/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
new file mode 100644
index 0000000000..7f5e488193
--- /dev/null
+++ b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
@@ -0,0 +1,90 @@
+---
+title: Certificate-based authentication for LDAP
+linkTitle: Certificate-based authentication for LDAP
+description: Learn how to set up certificate-based authentication for LDAP in Redis Software.
+weight: 40
+---
+
+You can configure Redis Software to use certificate-based authentication in combination with LDAP to authenticate and authorize users.
+
+Here's how it works:
+
+1. Users authenticate to the database using client certificates.
+
+1. Redis Software extracts the user identity from the certificate.
+
+1. Redis Software looks up the user in LDAP.
+
+1. LDAP group mappings and database ACLs determine authorization.
+
+## Prerequisites
+
+Before enabling certificate-based authentication for LDAP, you must complete the following prerequisites:
+
+1. [Enable mutual TLS]({{}}) for the relevant databases to set up certificate-based authentication.
+
+1. [Set up LDAP for the cluster]({{< relref "/operate/rs/security/access-control/ldap/enable-role-based-ldap#set-up-ldap-connection" >}}).
+
+1. [Map LDAP users to appropriate cluster roles]({{< relref "/operate/rs/security/access-control/ldap/map-ldap-groups-to-roles" >}}).
+
+1. [Configure database ACLs]({{< relref "/operate/rs/security/access-control/ldap/update-database-acls" >}}) to authorize LDAP users.
+
+## Set up certificate-based authentication for LDAP
+
+To set up certificate-based authentication for LDAP:
+
+1. Enable certificate-based authentication in the cluster LDAP configuration using an [update LDAP configuration]({{}}) REST API request.
+
+ To perform LDAP lookup for certificate-authenticated users:
+
+ - Redis Software must extract an identity from the client certificate's subject line, using either the subject CN or a custom OID. Extracting user identity from SAN is not currently supported.
+
+ - The certificate subject must follow [RFC 4514](https://datatracker.ietf.org/doc/html/rfc4514) formatting.
+
+ {{}}
+
+To enable certificate-based authentication and use the certificate subject CN as the LDAP identifier:
+
+```sh
+PUT https://:/v1/cluster/ldap
+{
+ "cba": true,
+ "cba_identity_source": "subject_cn",
+ "control_plane": true,
+ "data_plane": true
+}
+```
+
+-tab-sep-
+
+To enable certificate-based authentication and use a custom subject OID as the LDAP identifier:
+
+```sh
+PUT https://:/v1/cluster/ldap
+{
+ "cba": true,
+ "cba_identity_source": "subject_oid",
+ "cba_identity_oid": "1.2.3.4",
+ "control_plane": true,
+ "data_plane": true
+}
+```
+
+The certificate subject must include the OID.
+
+ {{}}
+
+1. Enable external certificate-based authentication in cluster settings using an [update cluster settings]({{}}) REST API request:
+
+ ```sh
+ PUT https://:/v1/cluster
+ {
+ "dmc_external_cba_authentication": true
+ }
+ ```
+
+## Verify your setup
+
+After configuration is complete, try to [connect to the database with certificate-based authentication]({{}}) and verify your setup.
From fe3552dcb914eb1ab9b394988393e59be374148d Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 19:24:37 -0500
Subject: [PATCH 02/10] Added traffic_manually_disabled indicator to BDB object
and rladmin status references
---
content/operate/rs/references/cli-utilities/rladmin/status.md | 2 ++
content/operate/rs/references/rest-api/objects/bdb/_index.md | 1 +
2 files changed, 3 insertions(+)
diff --git a/content/operate/rs/references/cli-utilities/rladmin/status.md b/content/operate/rs/references/cli-utilities/rladmin/status.md
index f3241681d9..b04254ec6b 100644
--- a/content/operate/rs/references/cli-utilities/rladmin/status.md
+++ b/content/operate/rs/references/cli-utilities/rladmin/status.md
@@ -40,6 +40,7 @@ rladmin status
| extra rack_id | Shows `rack_id` and `second_rack_id` even if the cluster is not `rack_aware` |
| extra redis_version | Shows Redis version of all databases in the cluster |
| extra state_machine | Shows execution of state machine information |
+| extra traffic_manually_disabled | Conditionally shows if any database's traffic was manually stopped with the `stop_traffic` API |
| extra watchdog | Shows watchdog status |
### Returns
@@ -112,6 +113,7 @@ rladmin status databases
| extra rack_id | Shows `rack_id` and `second_rack_id` even if the cluster is not `rack_aware` |
| extra redis_version | Shows Redis version of all databases in the cluster |
| extra state_machine | Shows execution of state machine information |
+| extra traffic_manually_disabled | Conditionally shows if any database's traffic was manually stopped with the `stop_traffic` API |
| extra watchdog | Shows watchdog status |
### Returns {#returns-dbs}
diff --git a/content/operate/rs/references/rest-api/objects/bdb/_index.md b/content/operate/rs/references/rest-api/objects/bdb/_index.md
index 0bd22d606b..834a21be0b 100644
--- a/content/operate/rs/references/rest-api/objects/bdb/_index.md
+++ b/content/operate/rs/references/rest-api/objects/bdb/_index.md
@@ -175,6 +175,7 @@ An API object that represents a managed database in the cluster.
| timeseries | [complex object]({{< relref "/operate/rs/references/rest-api/objects/bdb/timeseries" >}}); Configuration fields for timeseries. |
| tls_mode | Require TLS-authenticated and encrypted connections to the database
Values:
'enabled'
**'disabled'**
'replica_ssl' |
| tracking_table_max_keys | integer; The client-side caching invalidation table size. 0 makes the cache unlimited. |
+| traffic_manually_disabled | boolean; Whether traffic was manually turned off using the stop_traffic API (read-only) |
| type | Type of database
Values:
**'redis'**
'memcached' |
| use_nodes | array of strings; Cluster node UIDs to use for database shards and bound endpoints |
| use_selective_flush | boolean (default: true); If true, enable selective flush of destination shards |
From b039cf0aeae15ce0983794e8100796501fcfca18 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 19:32:43 -0500
Subject: [PATCH 03/10] Added crdt_supported fields to cluster object reference
---
.../operate/rs/references/rest-api/objects/cluster/_index.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/content/operate/rs/references/rest-api/objects/cluster/_index.md b/content/operate/rs/references/rest-api/objects/cluster/_index.md
index fa1c77279e..ffbc2b5ccf 100644
--- a/content/operate/rs/references/rest-api/objects/cluster/_index.md
+++ b/content/operate/rs/references/rest-api/objects/cluster/_index.md
@@ -31,6 +31,10 @@ An API object that represents the cluster.
| crdb_coordinator_port | integer, (range: 1024-65535) (default: 9081) | CRDB coordinator port |
| crdt_rest_client_retries | integer | Maximum number of retries for the REST client used by the Active-Active management API |
| crdt_rest_client_timeout | integer | Timeout for REST client used by the Active-Active management API |
+| crdt_supported_featureset_version | integer | CRDB supported featureset version (read-only) |
+| crdt_supported_featureset_version_map | object | CRDB supported featureset version mapping by Redis version (read-only) |
+| crdt_supported_protocol_versions | array of strings | CRDB supported protocol versions (read-only) |
+| crdt_supported_protocol_versions_map | object | CRDB supported protocol versions mapping by Redis version (read-only) |
| created_time | string | Cluster creation date (read-only) |
| data_cipher_list | string | Specifies the enabled ciphers for the data plane. The ciphers are specified in the format understood by the OpenSSL library. |
| data_cipher_suites_tls_1_3 | string | Specifies the enabled TLS 1.3 ciphers for the data plane. |
From 5dabb7e31240c3206580f44709b4eb2189ae662e Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 19:33:29 -0500
Subject: [PATCH 04/10] Added crdt_supported_module_featureset_version_map
field to cluster object reference
---
content/operate/rs/references/rest-api/objects/cluster/_index.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/content/operate/rs/references/rest-api/objects/cluster/_index.md b/content/operate/rs/references/rest-api/objects/cluster/_index.md
index ffbc2b5ccf..e649b5d475 100644
--- a/content/operate/rs/references/rest-api/objects/cluster/_index.md
+++ b/content/operate/rs/references/rest-api/objects/cluster/_index.md
@@ -33,6 +33,7 @@ An API object that represents the cluster.
| crdt_rest_client_timeout | integer | Timeout for REST client used by the Active-Active management API |
| crdt_supported_featureset_version | integer | CRDB supported featureset version (read-only) |
| crdt_supported_featureset_version_map | object | CRDB supported featureset version mapping by Redis version (read-only) |
+| crdt_supported_module_featureset_version_map | object | Mapping of module names to per-module-semantic-version supported CRDB featureset versions (read-only) |
| crdt_supported_protocol_versions | array of strings | CRDB supported protocol versions (read-only) |
| crdt_supported_protocol_versions_map | object | CRDB supported protocol versions mapping by Redis version (read-only) |
| created_time | string | Cluster creation date (read-only) |
From 66fe186659ce75ec1824288b6cdbfb7c469dad42 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 19:34:36 -0500
Subject: [PATCH 05/10] DOC-6525 Added Amazon Linux 2023 to supported platforms
---
content/embeds/supported-platforms-embed.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/content/embeds/supported-platforms-embed.md b/content/embeds/supported-platforms-embed.md
index 2cc9d7b940..14d3a55836 100644
--- a/content/embeds/supported-platforms-embed.md
+++ b/content/embeds/supported-platforms-embed.md
@@ -20,6 +20,7 @@ Redis Software is supported on several operating systems, cloud environments, a
| Ubuntu 20.04[2](#table-note-2) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | – |
| Ubuntu 18.04[2](#table-note-2) | – | – | – | :warning: | :warning: | :warning: | :warning: |
| Ubuntu 16.04[2](#table-note-2) | – | – | – | – | :warning: | :warning: | :warning: |
+| Amazon Linux 2023[6](#table-note-6) | ✅ | – | – | – | – | – | – |
| Amazon Linux 2 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | – |
| Amazon Linux 1 | – | – | – | – | :warning: | :warning: | :warning: |
| Kubernetes[3](#table-note-3) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
@@ -35,6 +36,8 @@ Redis Software is supported on several operating systems, cloud environments, a
5. Supported only if [FIPS was enabled during RHEL installation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#proc_installing-the-system-with-fips-mode-enabled_switching-rhel-to-fips-mode) to ensure FIPS compliance.
+6. Amazon Linux 2023 support was added in Redis Software version 8.0.20.
+
The following table shows which Redis Software version first tested and added support for each RHEL version:
| RHEL version | Redis Software version |
From 4f00ea7d784be51bfaa1a33cc4fb28ab5e179af8 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 19:55:01 -0500
Subject: [PATCH 06/10] Added mask_bdb_credentials to cluster object reference
---
content/operate/rs/references/rest-api/objects/cluster/_index.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/content/operate/rs/references/rest-api/objects/cluster/_index.md b/content/operate/rs/references/rest-api/objects/cluster/_index.md
index e649b5d475..3844aab776 100644
--- a/content/operate/rs/references/rest-api/objects/cluster/_index.md
+++ b/content/operate/rs/references/rest-api/objects/cluster/_index.md
@@ -57,6 +57,7 @@ An API object that represents the cluster.
| handle_redirects | boolean (default: false) | Handle API HTTPS requests and redirect to the master node internally |
| http_support | boolean (default: false) | Enable or turn off HTTP support |
| logrotate_settings | [logrotate_settings]({{}}) object | Settings for logrotate configuration |
+| mask_bdb_credentials | boolean (default: false) | If set to true, the BDB credentials will be masked in the BDB API responses |
| metrics_auth | boolean (default: false) | If true, requires authentication for requests to the metrics exporter |
| min_control_TLS_version | "1.2"
"1.3" | The minimum version of TLS protocol which is supported at the control path |
| min_data_TLS_version | "1.2"
"1.3" | The minimum version of TLS protocol which is supported at the data path |
From 59541bfd9106b73bb957e219bb418745c3968759 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 20:28:16 -0500
Subject: [PATCH 07/10] Readded search metrics to v2 metrics list
---
content/embeds/rs-prometheus-metrics-v2.md | 30 ++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/content/embeds/rs-prometheus-metrics-v2.md b/content/embeds/rs-prometheus-metrics-v2.md
index 9911073fa3..279b99d439 100644
--- a/content/embeds/rs-prometheus-metrics-v2.md
+++ b/content/embeds/rs-prometheus-metrics-v2.md
@@ -199,6 +199,7 @@
| redis_server_search_global_total | The total number of user and internal cursors in the shard, either holding pending results or actively executing `FT.CURSOR READ`. Deprecated in 8.0 (split into redis_server_search_cursors_internal_active and redis_server_search_cursors_user_active), but still available in older versions. [1](#tnote-1) |
| redis_server_search_number_of_indexes | Total number of indexes in the shard [1](#tnote-1) |
| redis_server_search_number_of_active_indexes | The total number of indexes running a background indexing and/or background query processing operation. Background indexing refers to vector ingestion process, or in-progress background indexer. [1](#tnote-1) |
+| redis_server_search_total_num_docs_in_indexes | The total number of documents currently indexed across all indexes in the shard. [2](#tnote-2) |
| redis_server_search_number_of_active_indexes_running_queries | Total count of indexes currently running a background query process. [1](#tnote-1) |
| redis_server_search_number_of_active_indexes_indexing | Total count of indexes currently undergoing a background indexing process. Background indexing refers to vector ingestion process, or in-progress background indexer. This metric is limited by the number of WORKER threads allocated for writing operations + the number of indexes. [1](#tnote-1) |
| redis_server_search_total_active_write_threads | Total count of background write (indexing) processes currently running in the shard. Background indexing refers to vector ingestion process, or in-progress background indexer. This metric is limited by the number of threads allocated for writing operations. [1](#tnote-1) |
@@ -229,6 +230,12 @@
| redis_server_search_fields_geoshape_Sortable | The total number of `SORTABLE GEOSHAPE` fields across all indexes in the shard. This field appears only if its value is larger than 0. [2](#tnote-2) |
| redis_server_search_fields_geoshape_NoIndex | The total number of `NOINDEX GEOSHAPE` fields across all indexes in the shard; i.e., used for sorting only but not indexed. This field appears only if its value is larger than 0. [2](#tnote-2) |
| redis_server_search_fields_geoshape_IndexErrors | The total number of indexing failures caused by attempts to index a document containing a `GEOSHAPE` field. This field appears only if `GEOSHAPE` fields exist. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_text_fields | The total number of indexing operations performed on `TEXT` fields across all indexes in the shard. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_tag_fields | The total number of indexing operations performed on `TAG` fields across all indexes in the shard. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_numeric_fields | The total number of indexing operations performed on `NUMERIC` fields across all indexes in the shard. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_geo_fields | The total number of indexing operations performed on `GEO` fields across all indexes in the shard. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_geoshape_fields | The total number of indexing operations performed on `GEOSHAPE` fields across all indexes in the shard. [2](#tnote-2) |
+| redis_server_search_total_indexing_ops_vector_fields | The total number of indexing operations performed on `VECTOR` fields across all indexes in the shard. [2](#tnote-2) |
| redis_server_search_used_memory_indexes | The total memory allocated by all indexes in the shard in bytes. [1](#tnote-1) |
| redis_server_search_smallest_memory_index | The memory usage of the index with the smallest memory usage in the shard in bytes. [1](#tnote-1) |
| redis_server_search_largest_memory_index | The memory usage of the index with the largest memory usage in the shard in bytes. [1](#tnote-1) |
@@ -247,6 +254,29 @@
| redis_server_search_total_active_queries | The total number of background queries currently being executed in the shard, excluding `FT.CURSOR READ`. [1](#tnote-1) |
| redis_server_search_errors_indexing_failures | The total number of indexing failures recorded across all indexes in the shard. [1](#tnote-1) |
| redis_server_search_errors_for_index_with_max_failures | The number of indexing failures in the index with the highest count of failures. [1](#tnote-1) |
+| redis_server_search_OOM_indexing_failures_indexes_count | The count of indexes that experienced out-of-memory (OOM) failures during background indexing. [2](#tnote-2) |
+| redis_server_search_shard_total_query_errors_syntax | The total number of query syntax errors occurred in the shard. [2](#tnote-2) |
+| redis_server_search_shard_total_query_errors_arguments | The total number of queries in the shard that failed due to missing or invalid arguments. [2](#tnote-2) |
+| redis_server_search_shard_total_query_errors_timeout | The total number of query timeout errors occurred in the shard (when timeout policy is 'fail'). [2](#tnote-2) |
+| redis_server_search_shard_total_query_warnings_timeout | The total number of query timeout warnings occurred in the shard (when timeout policy is 'return partial results'). [2](#tnote-2) |
+| redis_server_search_shard_total_query_errors_oom | The total number of query out-of-memory errors occurred in the shard. [4](#tnote-4) |
+| redis_server_search_shard_total_query_warnings_oom | The total number of query out-of-memory warnings occurred in the shard. [4](#tnote-4) |
+| redis_server_search_shard_total_query_warnings_max_prefix_expansions | The total number of max prefix expansion warnings occurred in the shard. [2](#tnote-2) |
+| redis_server_search_coord_total_query_errors_syntax | The total number of query syntax errors occurred at the coordinator. [2](#tnote-2) |
+| redis_server_search_coord_total_query_errors_arguments | The total number of query argument errors encountered by the shard's coordinator. [2](#tnote-2) |
+| redis_server_search_coord_total_query_errors_timeout | The total number of query timeout errors encountered by the shard's coordinator (when timeout policy is 'fail'). [2](#tnote-2) |
+| redis_server_search_coord_total_query_warnings_timeout | The total number of query timeout warnings encountered by the shard's coordinator (when timeout policy is 'return partial results'). [2](#tnote-2) |
+| redis_server_search_coord_total_query_errors_oom | The total number of query out-of-memory errors encountered by the shard's coordinator. [4](#tnote-4) |
+| redis_server_search_coord_total_query_warnings_oom | The total number of query out-of-memory warnings encountered by the shard's coordinator. [4](#tnote-4) |
+| redis_server_search_coord_total_query_warnings_max_prefix_expansions | The total number of max prefix expansion warnings encountered by the shard's coordinator. [2](#tnote-2) |
+| redis_server_search_uv_threads_running_queries | The number of I/O threads currently handling query distribution to shards in cluster environments. [2](#tnote-2) |
+| redis_server_search_uv_threads_running_topology_update | The number of UV threads currently running topology updates. [3](#tnote-3) |
+| redis_server_search_active_worker_threads | The number of active worker threads. [2](#tnote-2) |
+| redis_server_search_active_coord_threads | The number of active coordinator threads. [2](#tnote-2) |
+| redis_server_search_workers_low_priority_pending_jobs | The number of pending low-priority jobs in worker threads, such as vector background indexing, graph updates, and vector garbage collection in graph-based indexes. [2](#tnote-2) |
+| redis_server_search_workers_high_priority_pending_jobs | The number of pending high-priority jobs in worker threads, such as query execution. [2](#tnote-2) |
+| redis_server_search_workers_admin_priority_pending_jobs | The number of pending admin-priority jobs in worker threads, such as threadpool configuration changes. [3](#tnote-3) |
+| redis_server_search_coord_high_priority_pending_jobs | The number of pending jobs in the coordinator thread queue. Coordinator threads only have a high-priority queue and are primarily used for query distribution. [2](#tnote-2) |
| shard_ping_failures | gauge | Number of consecutive ping failures for a shard. Labels: shard_uid, role |
| shard_ping_failure_duration_seconds | gauge | Duration of ongoing failures (0 when healthy). Labels: shard_uid, role |
From 467885b0e33867a272b3eee091c8944273d37982 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Fri, 8 May 2026 20:46:26 -0500
Subject: [PATCH 08/10] DOC-6420 RS 8.0.20 release notes draft
---
.../rs-8-0-releases/rs-8-0-20-16.md | 620 ++++++++++++++++++
1 file changed, 620 insertions(+)
create mode 100644 content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
diff --git a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
new file mode 100644
index 0000000000..ead3e710f2
--- /dev/null
+++ b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
@@ -0,0 +1,620 @@
+---
+Title: Redis Software release notes 8.0.20-16 (May 2026)
+alwaysopen: false
+categories:
+- docs
+- operate
+- rs
+compatibleOSSVersion: Redis 8.6.2, 8.4.0, 8.2.1, 8.0.2, 7.4.3, 7.2.7, 6.2.13
+description: Certificate-based authentication for LDAP. Amazon Linux 2023 support. API enhancements for Active-Active databases and identifying manually stopped database traffic. New Redis Search metrics.
+linkTitle: 8.0.20-16 (May 2026)
+weight: 81
+---
+
+[Redis Software version 8.0.20](https://redis.io/downloads/#Redis_Software) is now available! This release includes API enhancements that warranted a new minor version instead of a maintenance release for version 8.0.18. However, you can upgrade from 8.0.2 through 8.0.18 to 8.0.20 without issue.
+
+## Highlights
+
+This version offers:
+
+- Certificate-based authentication for LDAP
+
+- Amazon Linux 2023 support
+
+- API enhancements for Active-Active databases and identifying manually stopped database traffic
+
+- New Redis Search metrics
+
+## New in this release
+
+### New features
+
+#### Certificate-based authentication for LDAP
+
+Redis Software now supports certificate-based authentication for LDAP users. This feature allows users to authenticate to the database using client certificates while authorization and role mapping are managed using LDAP.
+
+See [Certificate-based authentication for LDAP]({{}}) for details and instructions.
+
+#### Amazon Linux 2023 support
+
+Redis Software now supports the Amazon Linux 2023 operating system.
+
+#### Enhancements
+
+- Setting the `mask_bdb_credentials` [cluster setting]({{}}) to `true` also sanitizes responses for [Active-Active database]({{}}) REST API requests.
+
+- Added a `traffic_manually_disabled` field to the [BDB object]({{}}) to indicate whether database traffic was manually stopped using a [`stop_traffic`]({{}}) REST API request. [`rladmin status extra all`]({{}}) also conditionally displays a `TRAFFIC_MANUALLY_DISABLED` column if any database's traffic was manually stopped.
+
+- Added a `crdt_supported_module_featureset_version_map` field to the response for REST API requests to [get cluster info]({{}}). This new field provides aggregated module featureset version information, enabling clients to query which featureset versions are supported by each module across the cluster.
+
+- The [metrics stream engine]({{}}) exports new Redis Search [metrics]({{}}).
+
+### Redis database versions
+
+Redis Software version 8.0.20 includes the following Redis database versions: 8.6.2, 8.4.0, 8.2.1, 8.0.2, 7.4.3, 7.2.7, and 6.2.13.
+
+The [default Redis database version]({{}}) is 8.6.
+
+### Redis feature sets
+
+Redis Software includes multiple feature sets, compatible with different Redis database versions.
+
+The following table shows which Redis modules are compatible with each Redis database version included in this release.
+
+| Redis database version | Compatible Redis modules |
+|------------------------|--------------------------|
+| 8.6 | RediSearch 8.6
RedisJSON 8.4
RedisTimeSeries 8.6
RedisBloom 8.6
See [What's new in Redis 8.6]({{}}) and [Redis Open Source 8.6 release notes]({{}}) |
+| 8.4 | RediSearch 8.4
RedisJSON 8.4
RedisTimeSeries 8.4
RedisBloom 8.4
See [What's new in Redis 8.4]({{}}) and [Redis Open Source 8.4 release notes]({{}}) |
+| 8.2 | RediSearch 8.2
RedisJSON 8.2
RedisTimeSeries 8.2
RedisBloom 8.2
See [What's new in Redis 8.2]({{}}) and [Redis Open Source 8.2 release notes]({{}}) |
+| 8.0 | RediSearch 8.0
RedisJSON 8.0
RedisTimeSeries 8.0
RedisBloom 8.0
See [What's new in Redis 8.0]({{}}) and [Redis Open Source 8.0 release notes]({{}}) |
+| 7.4 | [RediSearch 2.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.10-release-notes.md" >}})
[RedisJSON 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.8-release-notes.md" >}})
[RedisTimeSeries 1.12]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.12-release-notes.md" >}})
[RedisBloom 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.8-release-notes.md" >}}) |
+| 7.2 | [RediSearch 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.8-release-notes.md" >}})
[RedisJSON 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.6-release-notes.md" >}})
[RedisTimeSeries 1.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.10-release-notes.md" >}})
[RedisBloom 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.6-release-notes.md" >}}) |
+| 6.2 | [RediSearch 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.6-release-notes.md" >}})
[RedisJSON 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.4-release-notes.md" >}})
[RedisTimeSeries 1.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.8-release-notes.md" >}})
[RedisBloom 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.4-release-notes.md" >}}) |
+
+### Resolved issues
+
+- RS193164: Fixed an issue where the `rladmin cluster join` command would incorrectly print a bootstrap error when replacing a node in a cluster that uses a custom `cnm_https_port`, despite the join operation completing successfully.
+
+- RS192584: Fixed an issue where the installation script failed to skip the DNS port verification check when the `--skip-dns-port-verification` flag was provided.
+
+- RS178757: Simplified the `node_wd` log output to include only the relevant IP addresses and shard roles instead of all shard details when there is a mismatch with the primary shard IP address during replication to reduce excessive logging.
+
+- RS192988: Fixed an issue where `dmcproxy` could experience high CPU utilization when shards reached their maximum client connection limits, which could cause shard migration and failover issues.
+
+- RS192736: Fixed an issue where shards could be left in an invalid role state after brief node failures and recoveries under high CPU load.
+
+- RS192586: Fixed an issue where endpoint configuration operations could fail during cluster upgrades if a primary node failover occurred while an operation was in progress between nodes running different software versions.
+
+- RS192576: Fixed an issue where the `rof_partial_rdb_support` cluster setting for `repl-use-sst-transfer` for Redis Flex databases was only applied to existing shards and not correctly applied to newly created shards.
+
+- RS184302: Fixed an issue where creating an Active-Active database could fail when Append-Only File (AOF) persistence was enabled with the `appendfsync-always` policy.
+
+- RS177923: Fixed an issue that could allow partial diagnostic logs to be read before completion.
+
+- RS187553: Fixed an issue where certain PEM and configuration files were not automatically deleted after the deletion of Active-Active or Replica Of databases or after syncer deactivation, which could lead to false certificate expiration alerts.
+
+- RS170893: Limited `cluster_wd` metrics exporter exposure to localhost.
+
+## Version changes
+
+### OpenSSL version
+
+Redis Software version 8.0.16 and later requires OpenSSL 3.3 or later.
+
+### Reserved ports
+
+Make sure the following ports are open before upgrading Redis Software.
+
+Ports reserved as of Redis Software version 8.0.18:
+
+| Port | Process name | Usage |
+|------|--------------|-------|
+| 3357 | reconciliation_tree_grpc | Internal communication |
+
+Ports reserved as of Redis Software version 7.22.0:
+
+| Port | Process name | Usage |
+|------|--------------|-------|
+| 3346 | cluster_api_internal | Cluster API internal port |
+| 3351 | cluster_watchdog_grpc_api | Cluster watchdog now supports gRPC |
+| 3352 | grpc_service_mesh | gRPC communication between nodes |
+| 3353 | local_grpc_service_mesh | Local gRPC services |
+| 3354 | grpc_gossip_envoy | gRPC gossip protocol communication between nodes |
+| 3355 | authentication_service | Authentication service internal port |
+
+Ports reserved as of Redis Software version 7.8.2:
+
+| Port | Process name | Usage |
+|------|--------------|-------|
+| 3347 | cert_exporter | Reports cluster certificate metrics |
+| 3348 | process_exporter | Reports process metrics for DMC and Redis processes |
+| 3349 | cluster_wd_exporter | Reports cluster watchdog metrics |
+| 3350 | db_controller | Internode communication |
+| 9091 | node_exporter | Reports host node metrics related to CPU, memory, disk, and more |
+| 9125 | statsd_exporter | Reports push metrics related to the DMC and syncer, and some cluster and node metrics |
+
+See [Ports and port ranges used by Redis Software]({{}}) for a complete list.
+
+### Supported platforms
+
+✅ Supported – The platform is supported for this version of Redis Software and Redis Stack modules.
+
+:warning: Deprecation warning – The platform is still supported for this version of Redis Software, but support will be removed in a future release.
+
+| Redis Software
major versions | 8.0 | 7.22 | 7.8 | 7.4 | 7.2 | 6.4 | 6.2 |
+|---------------------------------|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:|
+| **Release date** | Oct 2025 | May 2025 | Nov 2024 | Feb 2024 | Aug 2023 | Feb 2023 | Aug 2021 |
+| [**End-of-life date**]({{< relref "/operate/rs/installing-upgrading/product-lifecycle#endoflife-schedule" >}}) | Determined after
next major release | Oct 2027 | May 2027 | Nov 2026 | Feb 2026 | Aug 2025 | Feb 2025 |
+| **Platforms** | | | | | | | |
+| RHEL 9 &
compatible distros[1](#table-note-1) | ✅ | ✅ | ✅ | ✅ | – | – | – |
+| RHEL 9
FIPS mode[5](#table-note-5) | ✅ | ✅ | ✅ | – | – | – | – |
+| RHEL 8 &
compatible distros[1](#table-note-1) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| RHEL 7 &
compatible distros[1](#table-note-1) | – | – | – | – | :warning: | :warning: | :warning: |
+| Ubuntu 22.04[2](#table-note-2) | ✅ | ✅ | ✅ | – | – | – | – |
+| Ubuntu 20.04[2](#table-note-2) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | – |
+| Ubuntu 18.04[2](#table-note-2) | – | – | – | :warning: | :warning: | :warning: | :warning: |
+| Ubuntu 16.04[2](#table-note-2) | – | – | – | – | :warning: | :warning: | :warning: |
+| Amazon Linux 2023[6](#table-note-6) | ✅ | – | – | – | – | – | – |
+| Amazon Linux 2 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | – |
+| Amazon Linux 1 | – | – | – | – | :warning: | :warning: | :warning: |
+| Kubernetes[3](#table-note-3) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Docker[4](#table-note-4) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+
+1. The RHEL-compatible distributions CentOS, CentOS Stream, Alma, and Rocky are supported if they have full RHEL compatibility. Oracle Linux running the Red Hat Compatible Kernel (RHCK) is supported, but the Unbreakable Enterprise Kernel (UEK) is not supported.
+
+2. The server version of Ubuntu is recommended for production installations. The desktop version is only recommended for development deployments.
+
+3. See the [Redis Enterprise for Kubernetes documentation]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}) for details about support per version and Kubernetes distribution.
+
+4. [Docker images]({{< relref "/operate/rs/installing-upgrading/quickstarts/docker-quickstart" >}}) of Redis Software are certified for development and testing only.
+
+5. Supported only if [FIPS was enabled during RHEL installation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#proc_installing-the-system-with-fips-mode-enabled_switching-rhel-to-fips-mode) to ensure FIPS compliance.
+
+6. Amazon Linux 2023 support was added in Redis Software version 8.0.20.
+
+## Downloads
+
+The following table shows the SHA256 checksums for the available packages:
+
+| Package | SHA256 checksum (8.0.20-16 May release) |
+|---------|---------------------------------------|
+| Ubuntu 20 | |
+| Ubuntu 22 (amd64) | |
+| Ubuntu 22 (arm64) | |
+| Red Hat Enterprise Linux (RHEL) 8 | |
+| Red Hat Enterprise Linux (RHEL) 9 (amd64) | |
+| Red Hat Enterprise Linux (RHEL) 9 (arm64) | |
+| Amazon Linux 2 | |
+| Amazon Linux 2023 | |
+
+## Known issues
+
+- RS155734: Endpoint availability metrics do not work as expected due to a calculation error.
+
+## Known limitations
+
+#### Trim ACKED not supported for Active-Active 8.4 databases
+
+For Active-Active databases running Redis database version 8.4, the `ACKED` option is not supported for trimming commands.
+
+#### Rolling upgrade limitation for clusters with custom or deprecated modules
+
+Due to module handling changes introduced in Redis Software version 8.0, upgrading a cluster that contains custom or deprecated modules, such as RedisGraph and RedisGears v2, can become stuck when adding a new node to the cluster during a rolling upgrade.
+
+#### Module commands limitation during Active-Active database upgrades to Redis 8.0
+
+When upgrading an Active-Active database to Redis version 8.0, you cannot use module commands until all Active-Active database instances have been upgraded. Currently, these commands are not blocked automatically.
+
+#### Redis 8.0 database cannot be created with flash
+
+You cannot create a Redis 8.0 database with flash storage enabled. Create a Redis 8.0 database with RAM-only storage instead, or use Redis 8.2 for flash-enabled (Redis Flex) databases.
+
+#### Cluster Manager UI limitations
+
+The following legacy UI features are not yet available in the new Cluster Manager UI:
+
+- Purge an Active-Active instance.
+
+ Use [`crdb-cli crdb purge-instance`]({{< relref "/operate/rs/references/cli-utilities/crdb-cli/crdb/purge-instance" >}}) instead.
+
+- Search and export the log.
+
+## Security
+
+#### Redis Open Source security fixes compatibility
+
+As part of Redis's commitment to security, Redis Software implements the latest [security fixes](https://github.com/redis/redis/releases) available with [Redis Open Source](https://github.com/redis/redis). Redis Software has already included the fixes for the relevant CVEs.
+
+Some CVEs announced for Redis Open Source do not affect Redis Software due to different or additional functionality available in Redis Software that is not available in Redis Open Source.
+
+Redis Software 8.0.20-16 supports Redis Open Source 8.6, 8.4, 8.2, 8.0, 7.4, 7.2, and 6.2. Below is the list of Redis Open Source CVEs and other security vulnerabilities fixed by version.
+
+Redis 8.6.x:
+
+- VSET: Large `VADD REDUCE` values can lead to out-of-memory crashes or buffer overflow.
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+Redis 8.4.x:
+
+- VSET: Large `VADD REDUCE` values can lead to out-of-memory crashes or buffer overflow.
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+Redis 8.2.x:
+
+- VSET: Large `VADD REDUCE` values can lead to out-of-memory crashes or buffer overflow.
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+- RedisBloom: Restore invalid filter.
+
+- (CVE-2025-62507) A user can run the `XACKDEL` command with multiple IDs and trigger a stack buffer overflow, which can potentially lead to remote code execution.
+
+- The `HGETEX` command can lead to a buffer overflow.
+
+- Integer overflow in `hllPatLen`.
+
+- RedisBloom: Cuckoo filter counter overflow.
+
+- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes.
+
+- RedisBloom: Reachable assert in `TopK_Create`
+
+- RedisBloom: Out-of-bounds access with empty Bloom chains.
+
+- RedisBloom: Division by zero in Cuckoo filter insertion.
+
+- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
+
+- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.
+
+- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
+
+- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.
+
+Redis 8.0.x:
+
+- VSET: Large `VADD REDUCE` values can lead to out-of-memory crashes or buffer overflow.
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+- RedisBloom: Restore invalid filter.
+
+- The `HGETEX` command can lead to a buffer overflow.
+
+- Integer overflow in `hllPatLen`.
+
+- RedisBloom: Cuckoo filter counter overflow.
+
+- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes.
+
+- RedisBloom: Reachable assert in `TopK_Create`
+
+- RedisBloom: Out-of-bounds access with empty Bloom chains.
+
+- RedisBloom: Division by zero in Cuckoo filter insertion.
+
+- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
+
+- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.
+
+- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
+
+- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.
+
+Redis 7.4.x:
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+- RedisBloom: Restore invalid filter.
+
+- Integer overflow in `hllPatLen`.
+
+- RedisBloom: Cuckoo filter counter overflow.
+
+- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes.
+
+- RedisBloom: Reachable assert in `TopK_Create`
+
+- RedisBloom: Out-of-bounds access with empty Bloom chains.
+
+- RedisBloom: Division by zero in Cuckoo filter insertion.
+
+- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
+
+- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.
+
+- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
+
+- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.
+
+- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.
+
+- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.
+
+Redis 7.2.x:
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+- RedisBloom: Restore invalid filter.
+
+- Integer overflow in `hllPatLen`.
+
+- RedisBloom: Cuckoo filter counter overflow.
+
+- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes.
+
+- RedisBloom: Reachable assert in `TopK_Create`
+
+- RedisBloom: Out-of-bounds access with empty Bloom chains.
+
+- RedisBloom: Division by zero in Cuckoo filter insertion.
+
+- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
+
+- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.
+
+- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
+
+- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.
+
+- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.
+
+- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.
+
+- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.
+
+- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.
+
+- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.
+
+- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1)
+
+Redis 7.0.x:
+
+- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.
+
+- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.
+
+- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution.
+
+- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13)
+
+- (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using `COMMAND GETKEYS*` and validation of key names in ACL rules. (Redis 7.0.12)
+
+- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11)
+
+- (CVE-2023-28425) Specially crafted `MSETNX` commands can lead to assertion and denial-of-service. (Redis 7.0.10)
+
+- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9)
+
+- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 7.0.8)
+
+- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 7.0.9)
+
+- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 7.0.8)
+
+- (CVE-2022-35951) Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5)
+
+- (CVE-2022-31144) A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4)
+
+- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12)
+
+- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 7.0.0)
+
+- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0)
+
+Redis 6.2.x:
+
+- (CVE-2026-23479) When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution.
+
+- (CVE‑2026‑25243) A vulnerability in the Redis `RESTORE` command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-25588) A vulnerability in the `RESTORE` command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE‑2026‑25589) A vulnerability in the `RESTORE` command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
+
+- (CVE-2026-23631) An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with `replica-read-only` disabled, and exists in all versions of Redis with Lua scripting.
+
+- Insufficient sanitization of Lua script error messages can allow an authenticated user with `EVAL` permission to inject arbitrary RESP protocol responses, leading to denial of service, data manipulation, and connection pool poisoning.
+
+- RedisBloom: Integer overflow in `TopK` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `td_histogram_t` RDB loading may lead to heap buffer overflow.
+
+- RedisBloom: Missing validation in `CuckooFilter` RDB loading may lead to heap out-of-bounds access.
+
+- RedisBloom: Missing validation in `SBChain` and `CMSketch` RDB loading may lead to heap out-of-bounds write.
+
+- Added validation of limits during RDB load and data creation to avoid resource exhaustion and Denial-of-Service (DoS) vulnerabilities.
+
+- RedisBloom: Restore invalid filter.
+
+- Integer overflow in `hllPatLen`.
+
+- RedisBloom: Cuckoo filter counter overflow.
+
+- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes.
+
+- RedisBloom: Reachable assert in `TopK_Create`
+
+- RedisBloom: Out-of-bounds access with empty Bloom chains.
+
+- RedisBloom: Division by zero in Cuckoo filter insertion.
+
+- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user.
+
+- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service.
+
+- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
+
+- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution.
+
+- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution.
+
+- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service.
+
+- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution.
+
+- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes.
+
+- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12)
+
+- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11)
+
+- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 6.2.9)
+
+- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 6.2.11)
+
+- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 6.2.9)
+
+- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13)
+
+- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 6.2.7)
+
+- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7)
+
+- (CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when `proto-max-bulk-len` is manually configured to a non-default, very large value. (Redis 6.2.6)
+
+- (CVE-2021-32762) Integer to heap buffer overflow issue in `redis-cli` and `redis-sentinel` parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6)
+
+- (CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the `BITFIELD` command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5)
+
+- (CVE-2021-32687) Integer to heap buffer overflow with intsets, when `set-max-intset-entries` is manually configured to a non-default, very large value. (Redis 6.2.6)
+
+- (CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6)
+
+- (CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6)
+
+- (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for `hash-max-ziplist-entries`, `hash-max-ziplist-value`, `zset-max-ziplist-entries` or `zset-max-ziplist-value`. (Redis 6.2.6)
+
+- (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for `proto-max-bulk-len` and `client-query-buffer-limit`. (Redis 6.2.6)
+
+- (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6)
+
+- (CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4)
+
+- (CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3)
+
+- (CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3)
\ No newline at end of file
From b48cf017e3c4b8ef3a65c8852b4dfa3133bc05c3 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Tue, 12 May 2026 09:38:27 -0500
Subject: [PATCH 09/10] Feedback updates for cert-based auth for LDAP
---
.../rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md | 8 ++++----
.../ldap/certificate-based-authentication.md | 2 ++
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
index ead3e710f2..a130ffc819 100644
--- a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
+++ b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
@@ -6,7 +6,7 @@ categories:
- operate
- rs
compatibleOSSVersion: Redis 8.6.2, 8.4.0, 8.2.1, 8.0.2, 7.4.3, 7.2.7, 6.2.13
-description: Certificate-based authentication for LDAP. Amazon Linux 2023 support. API enhancements for Active-Active databases and identifying manually stopped database traffic. New Redis Search metrics.
+description: Certificate-based authentication with LDAP group-based authorization. Amazon Linux 2023 support. API enhancements for Active-Active databases and identifying manually stopped database traffic. New Redis Search metrics.
linkTitle: 8.0.20-16 (May 2026)
weight: 81
---
@@ -17,7 +17,7 @@ weight: 81
This version offers:
-- Certificate-based authentication for LDAP
+- Certificate-based authentication with LDAP group-based authorization
- Amazon Linux 2023 support
@@ -29,9 +29,9 @@ This version offers:
### New features
-#### Certificate-based authentication for LDAP
+#### Certificate-based authentication with LDAP group-based authorization
-Redis Software now supports certificate-based authentication for LDAP users. This feature allows users to authenticate to the database using client certificates while authorization and role mapping are managed using LDAP.
+Redis Software now enables secure client certificate authentication for LDAP users, combining strong authentication with centralized role-based authorization managed through LDAP.
See [Certificate-based authentication for LDAP]({{}}) for details and instructions.
diff --git a/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
index 7f5e488193..218740b95e 100644
--- a/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
+++ b/content/operate/rs/security/access-control/ldap/certificate-based-authentication.md
@@ -41,6 +41,8 @@ To set up certificate-based authentication for LDAP:
- The certificate subject must follow [RFC 4514](https://datatracker.ietf.org/doc/html/rfc4514) formatting.
+ - Do not create local user accounts for LDAP users.
+
{{}}
From 74b6d5b19b164d9f563e979492d83f745327f849 Mon Sep 17 00:00:00 2001
From: Rachel Elledge
Date: Tue, 12 May 2026 11:06:41 -0500
Subject: [PATCH 10/10] Feedback update for search metrics wording
---
.../rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
index a130ffc819..297c577f88 100644
--- a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
+++ b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-20-16.md
@@ -6,7 +6,7 @@ categories:
- operate
- rs
compatibleOSSVersion: Redis 8.6.2, 8.4.0, 8.2.1, 8.0.2, 7.4.3, 7.2.7, 6.2.13
-description: Certificate-based authentication with LDAP group-based authorization. Amazon Linux 2023 support. API enhancements for Active-Active databases and identifying manually stopped database traffic. New Redis Search metrics.
+description: Certificate-based authentication with LDAP group-based authorization. Amazon Linux 2023 support. API enhancements for Active-Active databases and identifying manually stopped database traffic. New search metrics.
linkTitle: 8.0.20-16 (May 2026)
weight: 81
---
@@ -23,7 +23,7 @@ This version offers:
- API enhancements for Active-Active databases and identifying manually stopped database traffic
-- New Redis Search metrics
+- New search metrics
## New in this release
@@ -47,7 +47,7 @@ Redis Software now supports the Amazon Linux 2023 operating system.
- Added a `crdt_supported_module_featureset_version_map` field to the response for REST API requests to [get cluster info]({{}}). This new field provides aggregated module featureset version information, enabling clients to query which featureset versions are supported by each module across the cluster.
-- The [metrics stream engine]({{}}) exports new Redis Search [metrics]({{}}).
+- Exposed new search [metrics]({{}}).
### Redis database versions