CVE-2026-27206: The Zumba Class Dance: RCE via PHP Object Injection in json-serializer

Source: Dev.to

TL;DR

Zumba Json Serializer ≤ 3.2.2 blindly trusts the @type field in JSON input, allowing attackers to instantiate any PHP class. If a “gadget” class exists in the application, this leads to Remote Code Execution (RCE). The fix in 3.2.3 introduces an allowlist, but it defaults to “allow all” for backward compatibility, leaving updated applications vulnerable unless explicitly configured.

Technical Details

• Vulnerability ID: CVE‑2026‑27206
• CWE ID: CWE‑502 (PHP Object Injection)
• CVSS Score: 8.1 (High)
• Attack Vector: Network
• Impact: Remote Code Execution (RCE)
• Exploit Status: Proof of Concept (PoC) Available
• Vulnerability Type: PHP Object Injection

Affected Systems

• PHP applications using zumba/json-serializer where allowedClasses !== null && !in_array($className, $this->allowedClasses, true).

Exploit Details

• GitHub Security Advisory: GHSA‑v7m3‑fpcr‑h7m2 – official advisory containing the PoC payload structure.

Mitigation Strategies

• Upgrade to version 3.2.3 immediately.
• Implement a strict allowlist of classes using setAllowedClasses().
• Switch to native json_decode if object hydration is not strictly required.
• Audit application dependencies for known gadget chains (e.g., PHPGGC).

Remediation Steps

1. Run:

   composer require zumba/json-serializer:^3.2.3

2. Search the codebase for all instantiations of new JsonSerializer().

3. After each instantiation, add:

   $serializer->setAllowedClasses([...]); // list of permitted classes

4. Test serialization flows to ensure legitimate classes are not blocked.

References

• GHSA‑v7m3‑fpcr‑h7m2
• Release 3.2.3
• Full report for CVE‑2026‑27206 (interactive diagrams and detailed analysis)