CVE-2026-23524

Name of the Vulnerable Software and Affected Versions Laravel Reverb versions 1.6.3 and below

Description Laravel Reverb, a real-time WebSocket communication backend for Laravel applications, has an issue where it passes data from the Redis channel directly into PHP’s

unserialize()

function without restricting which classes can be instantiated. This can lead to Remote Code Execution (RCE). The risk is increased because Redis servers are often deployed without authentication. This issue affects Laravel Reverb when horizontal scaling is enabled (REVERB SCALING ENABLED=true). The

unserialize()

function is used to convert serialized data back into PHP objects.

Recommendations Laravel Reverb versions 1.6.3 and below: Upgrade to version 1.7.0. Laravel Reverb versions 1.6.3 and below: If upgrading to version 1.7.0 is not possible, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback. Laravel Reverb versions 1.6.3 and below: If upgrading to version 1.7.0 is not possible and the environment uses only one Reverb node, set

REVERB SCALING ENABLED=false

to bypass the vulnerable logic.