Scramble, Remote Code Execution (RCE), CVE-2026-XXXXX (Critical)

By /

Listen to this Post

The vulnerability arises because Scramble evaluates Laravel validation rules that reference user‑controlled input when generating documentation. If the `/docs/api` or `/docs/api.json` endpoint is publicly accessible, an attacker can supply specially crafted data in a request. Scramble’s documentation generator then dynamically evaluates that data as PHP code, leading to arbitrary code execution in the context of the application.

The attack chain is:

  1. Attacker identifies a publicly available Scramble documentation endpoint.
  2. Attacker sends a request containing a validation rule that references user‑supplied parameters (e.g., 'rule' => 'required|in:' . $input).
  3. During documentation generation, Scramble evaluates the rule without sanitizing the user input.
  4. The injected PHP code is executed, giving the attacker full control over the server.
    The issue affects Scramble versions 0.13.2 through 0.13.21. Version 0.13.22 fixes the vulnerability by no longer evaluating user‑controlled data during documentation generation.

DailyCVE Form

Platform: Laravel Scramble
Version: 0.13.2–0.13.21
Vulnerability: RCE via eval
Severity: Critical
Date: Apr 28, 2026

Prediction: Patch date Apr 28, 2026

What Undercode Say

Check installed Scramble version
composer show dedoc/scramble
Update to the patched version
composer require dedoc/scramble:0.13.22
Verify the update
php artisan scramble:info

// Example of a vulnerable validation rule
$rules = [
'field' => 'required|in:' . $_GET['user_input']
];
// Patched code (0.13.22) no longer evaluates user input

How Exploit

An attacker sends a request to the publicly accessible documentation endpoint (e.g., /docs/api) with a payload like:

`?rule=required|in:`

During documentation generation, Scramble evaluates the rule, executing the embedded `system(‘id’)` command.

Protection from this CVE

  • Upgrade immediately to Scramble 0.13.22 or later.
  • If immediate upgrade is impossible, restrict access to `/docs/api` and `/docs/api.json` endpoints using middleware or network‑level controls.
  • Avoid using user‑controlled input directly inside validation rules.

Impact

Remote, unauthenticated attackers can execute arbitrary PHP code on the server, leading to full system compromise, data theft, and lateral movement within the network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top