MixPHP unauth RCE via deserialization (CVE-2026-42472)

Patch now - CVE-2026-42472 is a critical deserialization vulnerability in MixPHP Framework versions 2.x through 2.2.17 that lets unauthenticated attackers achieve remote code execution by sending crafted payloads to Redis-hosted sessions or cache data. No vendor patch is available; administrators must apply mitigations immediately.

Overview

CVE-2026-42472 affects the RedisHandler component of the MixPHP Framework, which handles session and cache data stored in Redis. The vulnerability exists because the handler calls PHP’s unserialize() function on data retrieved from Redis without validation or sanitization. An attacker who can write arbitrary data to the Redis instance can inject a malicious serialized object that triggers arbitrary code execution when MixPHP processes the data.

This is a classic insecure deserialization flaw in the same class as flaws that have plagued frameworks like PHPGGC, Drupal, and Joomla. The CVSSv3 score of 9.8 reflects the extreme ease of exploitation: no authentication, no user interaction, and network reachability.

Impact

A successful exploit grants the attacker full remote code execution on the MixPHP application server with the privileges of the web server process. This typically means the attacker can:

• Install web shells or backdoors
• Read or modify application data and configuration
• Use the compromised server as a pivot point into internal networks
• Steal credentials or session tokens from other users

The vulnerability is particularly dangerous in shared hosting environments or any deployment where Redis does not require authentication or is exposed to untrusted networks.

Affected Versions

MixPHP Framework versions 2.x, including all builds up to and including version 2.2.17.

Remediation

No official vendor patch has been released as of the date of this advisory. The MixPHP project appears to be dormant; administrators should pursue the following options in order:

1. Immediate mitigation: Disable the Redis-based session and cache handlers in MixPHP’s configuration. Switch to file-based or database-backed session handling until a more permanent fix is available.
2. Access control: Ensure Redis is never exposed to untrusted networks. If Redis must be accessible from the web application server, restrict access via firewall rules to only the application IP range. Enable Redis authentication (requirepass) and use TLS for connections where possible.
3. Alternative framework: Evaluate migrating to a maintained PHP framework with secure deserialization practices built in.
4. Monitoring: Watch for unusual deserialization errors or unexpected child processes on application servers.

Security Insight

This vulnerability is a textbook example of a pattern that continues to plague PHP frameworks: unchecked unserialize() calls on externally-influenced data. The PHP community has known about the dangers of unserialize() for years, yet frameworks still ship with this pattern as the default. What makes CVE-2026-42472 notable is its CVSS score 9.8 combined with the apparent abandonment of the MixPHP project. Organizations running MixPHP face a choice rare in the vulnerability landscape: patch a dead project or migrate. For broader context on related findings, readers can review our security news coverage and breach reports for real-world impacts of similar deserialization vulnerabilities.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs