PHP SOAP unauthenticated RCE (CVE-2026-6722)

Patch now - CVE-2026-6722 is a critical use-after-free in PHP 8.2.x before 8.2.31, 8.3.x before 8.3.31, 8.4.x before 8.4.21, and 8.5.x before 8.5.6 that lets an unauthenticated attacker send a crafted SOAP request to achieve remote code execution. The SOAP extension is widely deployed in web applications making this a high-impact threat for any PHP server accepting XML-RPC or SOAP payloads.

Overview

CVE-2026-6722 is a use-after-free vulnerability in the PHP SOAP extension. The flaw resides in the object deduplication mechanism used during SOAP message parsing. When the SOAP handler processes an Apache SOAP Map node containing duplicate keys, the second key’s processing overwrites the first in the temporary result map. This action frees the original PHP object while its pointer remains cached in a global map without an incremented reference count.

An attacker who controls the SOAP request body can then reference the freed object using an href attribute. Because PHP string allocations can reclaim the freed memory region, the dangling pointer becomes a weaponizable primitive. The attacker can craft a malicious SOAP payload that triggers this sequence, leading to arbitrary code execution on the server.

The vulnerability affects all PHP versions in the 8.2, 8.3, 8.4, and 8.5 branches below the respective patched releases. It received a CVSS score of 9.5 (CRITICAL) due to its network vector, no authentication requirement, and potential for full system compromise.

Impact

Any PHP application that parses user-supplied SOAP requests is at risk. This includes custom SOAP endpoints, XML-RPC bridges, and frameworks that serialize or deserialize SOAP messages. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary PHP code on the target system. Depending on the web server’s configuration, this can lead to full server takeover, data exfiltration, or lateral movement within the network.

Actionable Remediation

Patch immediately. The following PHP versions contain the fix:

• PHP 8.2.31 and later
• PHP 8.3.31 and later
• PHP 8.4.21 and later
• PHP 8.5.6 and later

Upgrade all affected PHP installations as the highest priority. For systems where immediate upgrade is not feasible, consider disabling the SOAP extension (extension=soap commented out in php.ini) as a temporary mitigation, provided the application does not require SOAP functionality. Monitor incoming SOAP requests for unusual payload structures, especially those containing duplicate Map keys or href attributes referencing internal nodes.

Security Insight

CVE-2026-6722 underscores a recurring pattern in scripting language runtimes where object lifecycle management in serialization handlers diverges from the core memory safety model. This vulnerability mirrors similar issues found in Python’s pickle module and Java’s deserialization APIs. For PHP, it marks another case where the SOAP extension, often considered a legacy feature, introduces critical remote attack surface in modern deployments. The high CVSS score reflects that an unauthenticated network vector combined with code execution is among the most severe outcomes; organizations still running SOAP services should treat this as a zero-trust boundary.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs