CVE-2026-23524 — CRITICAL (9.8)

Q: How severe is CVE-2026-23524?

CVE-2026-23524 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-23524?

Check the references section above for vendor advisories and patch information. Affected products include: Laravel Reverb.

Vulnerability Description

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Laravel	Reverb	< 1.7.0

Related Weaknesses (CWE)

CWE-502

References

https://cwe.mitre.org/data/definitions/502.htmlTechnical Description
https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1Patch
https://github.com/laravel/reverb/releases/tag/v1.7.0ProductRelease Notes
https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4MitigationVendor Advisory
https://laravel.com/docs/12.x/reverb#scalingTechnical Description

FAQ

What is CVE-2026-23524?

CVE-2026-23524 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() f...

How severe is CVE-2026-23524?

CVE-2026-23524 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-23524?

Check the references section above for vendor advisories and patch information. Affected products include: Laravel Reverb.