Skip to main content

Redis CVE-2026-23524

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-01-21 security-advisories@github.com GHSA-m27r-m6rx-mhm4
Redis Laravel RCE Deserialization Reverb
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Mar 06, 2026 - 20:02 nvd
Patch available
CVE Published
Jan 21, 2026 - 22:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

AnalysisAI

Laravel Reverb WebSocket server versions 1.6.3 and below have an insecure deserialization vulnerability enabling remote code execution on the backend server.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deploy Laravel Reverb with horizontal scaling enabled
Delivery
Connect to unauthenticated Redis server
Exploit
Inject malicious serialized PHP object into Redis channel
Execution
Application deserializes data with unserialize()
Persist
Instantiate arbitrary class for code execution
Impact
Execute remote commands as web server user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Laravel Reverb versions 1.6.3 and below with REVERB_SCALING_ENABLED=true AND unauthenticated Redis server accessible on network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8 with patch available. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to the Laravel Reverb WebSocket endpoint and sends a crafted message containing a serialized PHP object chain that, upon deserialization, executes arbitrary PHP code on the server.
Remediation Update Laravel Reverb to version 1.6.4 or later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48006 HIGH
8.7 Jun 11

Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated att

Share

CVE-2026-23524 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy