Vulnerability Report

CVE-2026-23524

RCE

Title: RCE in Laravel Reverb

RCE

Proof Of Concept

PoC Available for CVE-2026-23524

CWE Category CWE-502

Published Date Jan 21, 2026

Modified Date Mar 06, 2026

Exploit Status Available

Score 9.8 CVSS v3.1

Exploit Probability (EPSS)

0.17%

Vulnerability Summary

CVE-2026-23524: Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).

Impacted Vendors

laravel 1

Reference Links

https://cwe.mitre.org/data/definitions/502.html https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a https://github.com/laravel/reverb/releases/tag/v1.7.0 https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4 https://laravel.com/docs/12.x/reverb#scaling

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

9.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns