Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-23524

Laravel Redis Horizontal Scaling Insecure Deserialization
Back to all
CVE

CVE-2026-23524

Laravel Redis Horizontal Scaling Insecure Deserialization

Impact

This vulnerability affects Laravel Reverb versions prior to v1.7.0 when horizontal scaling is enabled (REVERBSCALINGENABLED=true).

The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication.

With horizontal scaling enabled, Reverb servers communicate via Redis PubSub. Reverb previously passed data from the Redis channel directly into PHP’s unserialize() function without restricting which classes could be instantiated.

Risk: Remote Code Execution (RCE)

Patches

This vulnerability is fixed in Laravel Reverb v1.7.0.

Update your dependency to laravel/reverb: ^1.7.0 immediately.

Workarounds

If you cannot upgrade to v1.7.0, you should apply the following mitigations:

  • Redis Security: Require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback.
  • Disable Scaling: If your environment uses only one Reverb node, set REVERBSCALINGENABLED=false to bypass the vulnerable logic entirely.

Credits

This vulnerability was discovered and responsibly reported by Mohammad Yaser Abo-Elmaaty @m0h4mmad

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4, https://nvd.nist.gov/vuln/detail/CVE-2026-23524, https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a, https://github.com/laravel/reverb, https://github.com/laravel/reverb/releases/tag/v1.7.0, https://laravel.com/docs/12.x/reverb#scaling, https://laravel.com/docs/reverb#scaling

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00672%
EPSS Percentile
0.70968%
Introduced Version
0
Fix Available
1.7.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading