CVE-2026-34084: PhpSpreadsheet RCE Vulnerability

CVE-2026-34084 Overview

CVE-2026-34084 affects PhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files. The vulnerability allows attackers to abuse PHP stream wrappers when the filename argument to IOFactory::load() is user-controlled. An attacker can supply a phar://, ftp://, or ssh2.sftp:// path that bypasses the is_file() check inside File::assertFile(). The phar:// wrapper triggers PHAR metadata deserialization, enabling remote code execution when a suitable gadget chain exists. The ftp:// and ssh2.sftp:// wrappers enable server-side request forgery (SSRF). The flaw is tracked under CWE-502 (Deserialization of Untrusted Data).

Critical Impact

Unauthenticated attackers can achieve remote code execution or SSRF through user-controlled file paths passed to PhpSpreadsheet's loader.

Affected Products

• PhpSpreadsheet versions 1.30.2 and earlier
• PhpSpreadsheet versions 2.0.0 through 2.1.14, and 2.2.0 through 2.4.3
• PhpSpreadsheet versions 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0

Discovery Timeline

• 2026-05-05 - CVE-2026-34084 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-34084

Vulnerability Analysis

The vulnerability exists in the File::assertFile() helper used by IOFactory::load() to validate input paths. The helper relies on PHP's is_file() function, which evaluates registered stream wrappers rather than restricting input to local filesystem paths. When an attacker passes a path beginning with phar://, PHP parses the referenced PHAR archive and unserializes its metadata stream. If the application loads classes containing exploitable magic methods such as __destruct or __wakeup, the deserialization triggers a property-oriented programming chain that ends in arbitrary code execution.

The same path also accepts ftp:// and ssh2.sftp:// wrappers. These wrappers cause the PHP process to issue outbound network requests, producing a server-side request forgery primitive that can reach internal services or cloud metadata endpoints.

Root Cause

The root cause is an insufficient validation pattern. is_file() returns true for any path resolvable by a registered stream wrapper, so the assertion never enforces that the input is a local file. Combined with PHP's automatic deserialization of PHAR metadata, this turns a path-validation function into a remote code execution sink.

Attack Vector

An attacker uploads or hosts a crafted PHAR archive containing serialized objects that map to gadget classes available in the target application's autoloader. The attacker then submits the path phar:///path/to/uploaded.file (or a remote variant) to any endpoint that forwards user input to IOFactory::load(). PHP processes the PHAR stream, deserializes its metadata, and executes the gadget chain. For SSRF, the attacker substitutes ftp:// or ssh2.sftp:// URLs to coerce the server into connecting to attacker-chosen hosts.

No verified public exploit code is available at the time of publication. See the GitHub Security Advisory for additional technical details.

Detection Methods for CVE-2026-34084

Indicators of Compromise

• Web server access logs containing request parameters with phar://, ftp://, ssh2.sftp://, or other stream wrapper prefixes.
• Unexpected outbound FTP or SFTP connections originating from PHP-FPM or web server worker processes.
• File uploads with double extensions or non-standard MIME types where the underlying content is a PHAR archive.
• PHP error logs referencing PharException, unserialization errors, or class autoloads triggered during spreadsheet loading.

Detection Strategies

• Inspect application code paths that pass HTTP-supplied values into IOFactory::load() and flag any without strict scheme allow-listing.
• Deploy web application firewall rules that block request parameters containing phar://, ftp://, or ssh2.sftp:// substrings.
• Monitor process telemetry for PHP workers spawning shells, writing to web roots, or initiating outbound traffic on TCP/21 and TCP/22.

Monitoring Recommendations

• Enable PHP disable_functions auditing and log calls to unserialize, phar_*, and stream wrapper APIs.
• Forward web server, application, and network egress logs to a centralized analytics platform for correlation across upload, load, and outbound connection events.
• Alert on file uploads followed within seconds by spreadsheet processing requests referencing the same path.

How to Mitigate CVE-2026-34084

Immediate Actions Required

• Upgrade PhpSpreadsheet to a fixed release: 1.30.3, 2.1.15, 2.4.4, 3.10.4, or 5.6.0.
• Audit all invocations of IOFactory::load(), IOFactory::createReaderForFile(), and related entry points for user-controlled input.
• Reject any input value that contains :// before passing it to the library, and resolve user paths against an absolute base directory using realpath().

Patch Information

The maintainers fixed the issue in PhpSpreadsheet versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0. The fix tightens path validation so stream wrappers no longer satisfy the file assertion. Refer to the GitHub Security Advisory GHSA-q4q6-r8wh-5cgh for the patch commits and release notes.

Workarounds

• Restrict accepted input to validated local paths inside an application-controlled upload directory.
• Disable unused PHP stream wrappers using stream_wrapper_unregister('phar'), stream_wrapper_unregister('ftp'), and stream_wrapper_unregister('ssh2.sftp') where the application does not require them.
• Configure open_basedir and allow_url_fopen=Off in php.ini to limit the filesystem and network surface available to the worker process.

# Configuration example: php.ini hardening
allow_url_fopen = Off
allow_url_include = Off
open_basedir = "/var/www/app:/tmp"
disable_functions = "phar_loader"