CVE-2026-23524
Published: 21 January 2026
Summary
CVE-2026-23524 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Laravel Reverb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws such as the unsafe deserialization vulnerability in Laravel Reverb leading to RCE.
Enforces boundary protections to restrict unauthorized remote access to the Redis instance, preventing attackers from injecting malicious serialized data.
Mandates validation of untrusted inputs from Redis channels prior to deserialization to block instantiation of malicious classes and RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via exploitation of a public-facing Laravel Reverb WebSocket backend processing unsecured Redis data, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to…
more
Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
Deeper analysisAI
CVE-2026-23524 is a critical deserialization vulnerability (CWE-502) in Laravel Reverb, a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and prior, Reverb directly passes data from Redis channels into PHP's unserialize() function without restricting instantiable classes, enabling remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and only impacts deployments with horizontal scaling enabled via REVERB_SCALING_ENABLED=true.
Remote attackers can exploit this flaw without authentication or user interaction by injecting malicious serialized data into an accessible Redis instance, which Reverb then unserializes during scaled operations. Redis servers are frequently deployed without authentication and exposed publicly, amplifying exploitability. Successful exploitation grants attackers high confidentiality, integrity, and availability impacts through arbitrary code execution on the Reverb server.
The issue is addressed in Laravel Reverb version 1.7.0, as detailed in the project's security advisory (GHSA-m27r-m6rx-mhm4) and release notes. Mitigation recommendations include upgrading immediately, enforcing strong passwords on Redis with access restricted to private networks or loopback interfaces, or disabling scaling entirely by setting REVERB_SCALING_ENABLED=false for single-node setups. Relevant details are available in the fix commit and Laravel documentation on Reverb scaling.
Details
- CWE(s)