CVE-2026-23524
Published: 21 January 2026
Description
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to…
more
Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws such as the unsafe deserialization vulnerability in Laravel Reverb leading to RCE.
Enforces boundary protections to restrict unauthorized remote access to the Redis instance, preventing attackers from injecting malicious serialized data.
Mandates validation of untrusted inputs from Redis channels prior to deserialization to block instantiation of malicious classes and RCE.
Security SummaryAI
CVE-2026-23524 is a critical deserialization vulnerability (CWE-502) in Laravel Reverb, a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and prior, Reverb directly passes data from Redis channels into PHP's unserialize() function without restricting instantiable classes, enabling remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and only impacts deployments with horizontal scaling enabled via REVERB_SCALING_ENABLED=true.
Remote attackers can exploit this flaw without authentication or user interaction by injecting malicious serialized data into an accessible Redis instance, which Reverb then unserializes during scaled operations. Redis servers are frequently deployed without authentication and exposed publicly, amplifying exploitability. Successful exploitation grants attackers high confidentiality, integrity, and availability impacts through arbitrary code execution on the Reverb server.
The issue is addressed in Laravel Reverb version 1.7.0, as detailed in the project's security advisory (GHSA-m27r-m6rx-mhm4) and release notes. Mitigation recommendations include upgrading immediately, enforcing strong passwords on Redis with access restricted to private networks or loopback interfaces, or disabling scaling entirely by setting REVERB_SCALING_ENABLED=false for single-node setups. Relevant details are available in the fix commit and Laravel documentation on Reverb scaling.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing Laravel Reverb WebSocket backend processing unsecured Redis data, directly mapping to T1190: Exploit Public-Facing Application.