CVE-2026-23524: Laravel Redis Horizontal Scaling Insecure Deserialization
(updated )
This vulnerability affects Laravel Reverb versions prior to v1.7.0 when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true).
The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication.
With horizontal scaling enabled, Reverb servers communicate via Redis PubSub. Reverb previously passed data from the Redis channel directly into PHP’s unserialize() function without restricting which classes could be instantiated.
Risk: Remote Code Execution (RCE)
References
- github.com/advisories/GHSA-m27r-m6rx-mhm4
- github.com/laravel/reverb
- github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a
- github.com/laravel/reverb/releases/tag/v1.7.0
- github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4
- laravel.com/docs/12.x/reverb
- laravel.com/docs/reverb
- nvd.nist.gov/vuln/detail/CVE-2026-23524
Code Behaviors & Features
Detect and mitigate CVE-2026-23524 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →