CVE-2026-27206
PHP Object Injection in Zumba Json Serializer β€3.2.2 Enables RCE
Publication date: 2026-02-21
Last updated on: 2026-02-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zumba | json-serializer | to 3.2.3 (exc) |
| zumba | json-serializer | 3.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27206 is a security vulnerability in the zumba/json-serializer PHP library versions 3.2.2 and below. The library deserializes PHP objects from JSON using a special @type field that specifies which PHP class to instantiate. The vulnerability arises because the deserializer instantiates any class specified in the @type field without restriction.'}, {'type': 'paragraph', 'content': 'If an attacker controls the JSON input passed to JsonSerializer::unserialize(), they can specify arbitrary classes to be instantiated. Some classes may have dangerous magic methods like __wakeup() or __destruct() that can be exploited to perform harmful actions such as PHP Object Injection or even Remote Code Execution (RCE).'}, {'type': 'paragraph', 'content': "This behavior is similar in risk to PHP's native unserialize() function when used without restrictions on allowed classes. The vulnerability is fixed in version 3.2.3 by introducing a method to restrict which classes can be instantiated during deserialization."}] [2, 3]
How can this vulnerability impact me? :
If your application uses zumba/json-serializer version 3.2.2 or below and deserializes untrusted or attacker-controlled JSON input, this vulnerability can allow an attacker to instantiate arbitrary PHP classes within your application.
This can lead to PHP Object Injection, which may result in Remote Code Execution (RCE), allowing attackers to execute arbitrary code on your server.
Other potential impacts include data exfiltration, file manipulation, and denial of service, depending on the classes available in your application or its dependencies and their magic methods.
Applications that only deserialize trusted JSON data are not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when untrusted JSON input containing a special @type field is passed into JsonSerializer::unserialize(), allowing instantiation of arbitrary PHP classes. Detection involves identifying if your application uses zumba/json-serializer versions 3.2.2 or below and whether it deserializes untrusted JSON input without restrictions.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts on your system or network, you can monitor for JSON payloads containing the @type field that specify unexpected or suspicious PHP classes.'}, {'type': 'paragraph', 'content': 'Since this is a PHP deserialization vulnerability, direct detection commands depend on your application and environment. However, general approaches include:'}, {'type': 'list_item', 'content': 'Inspect application logs or web server logs for incoming JSON requests containing the @type field.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for '@type' in logs, for example: `grep -r '@type' /var/log/nginx/access.log` or `grep '@type' /path/to/app/logs/*.log`."}, {'type': 'list_item', 'content': "Monitor network traffic for JSON payloads with @type fields using tools like Wireshark or tcpdump with filters for HTTP POST requests containing '@type'."}, {'type': 'list_item', 'content': 'Audit your codebase to check if JsonSerializer::unserialize() is called on untrusted or external JSON input.'}, {'type': 'paragraph', 'content': 'No specific built-in commands are provided in the resources, but these general detection methods can help identify potential exploitation attempts.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the zumba/json-serializer library to version 3.2.3 or later, which introduces a method to restrict which classes can be instantiated during deserialization.
If an immediate upgrade is not feasible, the following steps should be taken:
- Never deserialize untrusted or attacker-controlled JSON input using JsonSerializer::unserialize().
- Validate and sanitize all JSON input before deserialization to ensure it does not contain malicious @type fields.
- Disable @type-based object instantiation wherever possible in your application logic.
After upgrading, configure the deserializer to restrict allowed classes by using the new method `setAllowedClasses()`. For example, calling `$serializer->setAllowedClasses([]);` disables all object instantiations, or provide a strict allowlist of safe classes.