MixPHP unauth RCE via deserialization (CVE-2026-42473)

Patch now - CVE-2026-42473 is a critical unsafe-deserialization vulnerability in MixPHP Framework 2.x through 2.2.17 that grants unauthenticated remote code execution when an attacker supplies a malicious serialized object to the session or cache FileHandler. Patched in MixPHP 2.2.18 - update immediately.

Overview

CVE-2026-42473 affects the FileHandler object used by the MixPHP Framework session and cache subsystems. The handler calls PHP’s unserialize() directly on data read from the filesystem without any sanitization or integrity checks. An attacker who can write a crafted serialized payload to a file (for example via an upload function, log injection, or another vector) can force the server to instantiate arbitrary PHP objects and trigger gadget chains that execute commands on the target system.

The flaw is trivially exploitable because it requires no authentication (CVSS Attack Vector: Network, Privileges Required: None) and no user interaction. The CVSS base score is 9.8 (Critical). There is no evidence of active exploitation in the wild as of this writing, but proof-of-concept code is likely to emerge given the straightforward exploit technique.

Impact

An unauthenticated attacker can:

• Execute arbitrary operating-system commands on the MixPHP application server.
• Gain a foothold in the internal network, if the server has outbound connectivity.
• Read, modify, or delete application data stored in the session or cache backend.
• Use the compromised server as a pivot point for lateral movement.

Any application built on MixPHP 2.x up to and including 2.2.17 is affected. The framework is most commonly used in PHP-based REST APIs and web applications.

Remediation and Mitigation

Immediate fix: Upgrade to MixPHP 2.2.18, which replaces the unsafe unserialize() call with a safe deserialization wrapper that validates object types and allowed classes.

If you cannot upgrade immediately:

1. Disable the FileHandler session driver and switch to Redis or database-backed sessions that store data in a non-serialized format.
2. Restrict filesystem access to the session and cache file directories. Ensure the web server user has no write access to directories where uploaded files or log entries are stored unless explicitly required.
3. Monitor server logs for unexpected PHP fatal errors around unserialize() calls, which may indicate attempted exploitation.
4. Deploy a Web Application Firewall (WAF) rule that blocks O:, C:, and other serialized-object indicators in request bodies and file uploads.

Security Insight

CVE-2026-42473 is a textbook case of PHP object injection, a class of vulnerability that has plagued PHP frameworks for over a decade (e.g., the 2017 Drupalgeddon 2 vulnerability shared the same root cause). MixPHP’s reliance on raw unserialize() for filesystem-backed storage demonstrates a failure to adopt the secure-by-default practices that modern PHP frameworks have made standard. Developers who maintain framework-level components should treat any deserialization of non-whitelisted data as a red-line security risk and prefer JSON or other structured formats for persistent state. Follow breach reports at breach reports and cybersecurity news at security news for related incidents.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs