Laravel Reverb, Insecure Deserialization, CVE-2026-23524 (Critical)

Listen to this Post

CVE-2026-23524 is a critical vulnerability in Laravel Reverb, a real-time WebSocket communication backend for Laravel applications, specifically affecting versions 1.6.3 and below . The flaw resides in how Reverb handles horizontal scaling, a mode enabled by `REVERB_SCALING_ENABLED=true` where multiple Reverb nodes communicate via Redis PubSub channels to synchronize state . The vulnerable code within the `PusherPubSubIncomingMessageHandler` takes data from these Redis channels and passes it directly into PHP’s `unserialize()` function without implementing an allowlist for class instantiation . This constitutes an Insecure Deserialization vulnerability, classified as CWE-502 . By sending a maliciously crafted serialized PHP object into the Redis channel, an attacker can instantiate arbitrary classes within the application’s scope. The exploit is particularly dangerous because Redis servers are frequently deployed without authentication, making them an accessible entry point . If a “gadget chain” of classes with exploitable magic methods (like `__wakeup()` or __destruct()) exists in the application, the deserialization process can lead to Remote Code Execution (RCE) . The attack vector is network-based, requires no privileges, and has low complexity, allowing an unauthenticated attacker to completely compromise the confidentiality, integrity, and availability of the system . The vulnerability has been fixed in Laravel Reverb version 1.7.0 by properly restricting the classes that can be deserialized .
Platform: Laravel Reverb
Version: 1.6.3 and below
Vulnerability : Insecure Deserialization RCE
Severity: Critical
date: 21 Jan 2026

Prediction: Patch already released

What Undercode Say:

Analytics

The vulnerability is identified as CVE-2026-23524 with a CVSS base score of 9.8 (Critical) . The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network attack vector with low complexity and no required privileges . It is associated with CWE-502 (Deserialization of Untrusted Data) . The vulnerability was published on January 21, 2026, and affects all versions of Laravel Reverb prior to 1.7.0 when horizontal scaling is enabled . It was discovered and reported by Mohammad Yaser Abo-Elmaaty . The EPSS score is approximately 0.68%, indicating a moderate probability of exploitation in the wild .

Exploit

The exploitation requires network access to the Redis server used by Reverb for horizontal scaling. An attacker can publish a malicious serialized PHP object to the relevant Redis PubSub channel.

Example concept: Publishing a malicious payload to Redis
This is a conceptual representation; a real exploit would require a valid gadget chain.
redis-cli -h <target_redis_host> publish "reverb:channel" 'O:8:"ExampleClass":1:{s:4:"prop";s:29:"malicious_payload_here";}'

When Reverb processes this message, it calls `unserialize()` on the payload, which can lead to RCE if a suitable gadget chain exists in the application’s autoloaded classes .

Protection

Immediate protection is achieved by upgrading to Laravel Reverb version 1.7.0 or later .

Update to the patched version using Composer
composer require laravel/reverb:^1.7.0

If an immediate upgrade is not possible, apply these workarounds :
1. Disable Horizontal Scaling: If only one Reverb node is used, set the environment variable to bypass the vulnerable logic.

echo "REVERB_SCALING_ENABLED=false" >> .env

2. Secure Redis: Enforce strong authentication and restrict network access to the Redis server.

In redis.conf
requirepass your_strong_random_password
bind 127.0.0.1
Firewall rule to restrict access (example with iptables)
iptables -A INPUT -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

Impact

Successful exploitation of this vulnerability allows an unauthenticated, remote attacker to achieve Remote Code Execution (RCE) on the server hosting Laravel Reverb . This grants the attacker the ability to execute arbitrary system commands with the privileges of the PHP process, potentially leading to full server compromise, data theft, installation of backdoors, or lateral movement within the network . The impact on system confidentiality, integrity, and availability is rated as HIGH .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Mercurius, Query Depth Bypass, CVE-2026-12345 (Low)

Scroll to Top