CVE-2026-24895 Overview
CVE-2026-24895 is a high-severity vulnerability in FrankenPHP, a modern application server for PHP. The vulnerability exists in the CGI path splitting logic, which improperly handles Unicode characters during case conversion operations. This flaw can allow attackers to manipulate request paths to execute unintended PHP files on vulnerable servers.
Critical Impact
Attackers can exploit Unicode case conversion inconsistencies to execute arbitrary PHP files by crafting malicious request paths, potentially leading to complete server compromise.
Affected Products
- FrankenPHP versions prior to 1.11.2
Discovery Timeline
- February 12, 2026 - CVE-2026-24895 published to NVD
- February 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-24895
Vulnerability Analysis
This vulnerability stems from an incorrect implementation of path splitting logic within FrankenPHP's CGI handling mechanism. The flaw involves a mismatch between byte-level string operations performed on different character encodings. When FrankenPHP processes incoming HTTP requests, it searches for .php extensions in the URL path to determine which PHP script to execute. The implementation computes the split index by first converting the request path to lowercase using Go's strings.ToLower() function, then applying that calculated byte index back to the original, unmodified request path.
The core issue arises because certain UTF-8 encoded Unicode characters expand in byte length when converted to lowercase. For example, the character Ⱥ (Latin Capital Letter A with Stroke) is represented as 2 bytes in UTF-8, but its lowercase equivalent requires 3 bytes. This byte length expansion causes the computed index to be misaligned with the original string's structure, resulting in incorrect values for SCRIPT_NAME and SCRIPT_FILENAME environment variables.
Root Cause
The vulnerability is classified under CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize). The root cause is the improper handling of Unicode normalization and case conversion in path processing. The code incorrectly assumes that the byte length of a string remains constant after case conversion, which is not true for certain UTF-8 characters. This assumption leads to index miscalculation when the lowercased copy of the path has a different byte length than the original.
Attack Vector
An attacker can exploit this vulnerability by crafting HTTP requests containing specific Unicode characters in the URL path. By strategically placing characters that expand during lowercase conversion, an attacker can manipulate the computed split index to point to a different location in the original path than intended. This manipulation can cause FrankenPHP to execute a different PHP file than the one specified in the URI.
The attack is network-based and requires no authentication or user interaction. An attacker could potentially:
- Bypass security controls that rely on path-based access restrictions
- Execute PHP files that should not be directly accessible
- Achieve arbitrary code execution if combined with file upload functionality
The vulnerability can be triggered by sending a crafted HTTP request containing Unicode characters like Ⱥ in the path segment preceding the .php extension, causing the server to misinterpret which file should be executed.
Detection Methods for CVE-2026-24895
Indicators of Compromise
- HTTP requests containing unusual Unicode characters in URI paths, particularly characters like Ⱥ, Ⱦ, or other characters that expand when lowercased
- Web server logs showing requests with extended UTF-8 byte sequences preceding .php extensions
- Unexpected PHP file executions or error logs indicating script path mismatches
- Access attempts to PHP files that should not be publicly accessible
Detection Strategies
- Monitor web server access logs for requests containing non-ASCII characters in paths targeting PHP files
- Implement Web Application Firewall (WAF) rules to detect and block requests with suspicious Unicode patterns in URL paths
- Review FrankenPHP application logs for anomalies in SCRIPT_NAME or SCRIPT_FILENAME values
- Deploy intrusion detection signatures that identify UTF-8 encoded characters known to expand during case conversion
Monitoring Recommendations
- Enable verbose logging on FrankenPHP servers to capture full request paths including Unicode characters
- Set up alerts for requests where the executed script path doesn't match the expected request URI
- Monitor for unusual patterns of PHP file access that deviate from normal application behavior
- Implement anomaly detection for web traffic containing high concentrations of extended Unicode characters
How to Mitigate CVE-2026-24895
Immediate Actions Required
- Upgrade FrankenPHP to version 1.11.2 or later immediately
- Review access logs for any signs of exploitation attempts using Unicode-crafted paths
- Implement WAF rules to filter requests containing suspicious Unicode patterns while awaiting patching
- Audit PHP file permissions to ensure only intended files are executable
Patch Information
The vulnerability has been fixed in FrankenPHP version 1.11.2. The fix addresses the byte index miscalculation by properly handling Unicode characters during path splitting operations. The security patch is available through the official GitHub release.
For technical details on the fix implementation, refer to the GitHub commit and the security advisory GHSA-g966-83w7-6w38.
Workarounds
- Deploy a reverse proxy or WAF in front of FrankenPHP that normalizes Unicode characters before passing requests to the application server
- Implement request filtering at the network edge to reject URLs containing potentially problematic Unicode characters
- Restrict access to the FrankenPHP server to trusted networks until patching can be completed
- Configure file system permissions to limit which PHP files can be executed, reducing the impact of path manipulation attacks
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
