CVE-2026-39850 Overview
CVE-2026-39850 is a Local File Inclusion (LFI) vulnerability in the Yii 2 PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile(). The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. A caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include. Attackers can leverage this to achieve information disclosure or remote code execution when paired with a separate primitive that writes attacker-controlled PHP files. The issue is fixed in version 2.0.55.
Critical Impact
Attacker-controlled parameters can overwrite the view file path, enabling Local File Inclusion and potential Remote Code Execution in Yii 2 applications.
Affected Products
- Yii 2 framework versions 2.0.54 and prior
- Applications using yii\base\View::renderPhpFile()
- Applications using yii\web\ErrorHandler view rendering
Discovery Timeline
- 2026-05-20 - CVE-2026-39850 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39850
Vulnerability Analysis
The vulnerability resides in framework/base/View.php within the renderPhpFile($_file_, $_params_ = []) method. Yii uses underscore-prefixed parameter names ($_file_, $_params_) to avoid collisions with extracted view variables. However, the method calls extract($_params_, EXTR_OVERWRITE) in the same scope as require $_file_. The EXTR_OVERWRITE flag tells PHP to overwrite any existing variable with values from the source array. An attacker who controls keys in $_params_ can include a key named _file_, which overwrites the local variable holding the view path immediately before the require statement executes. The same flaw exists in framework/web/ErrorHandler.php, where Yii::getAlias($_file_) is also reachable from extracted user input. This maps to [CWE-20] Improper Input Validation.
Root Cause
The root cause is the lack of scope isolation between framework internals and caller-supplied template variables. PHP's extract() operates on the current symbol table, so any internal variable sharing a name with an array key is overwritten.
Attack Vector
Exploitation requires that attacker-controlled data flows into the $params array passed to renderPhpFile() or a wrapper such as render(). By supplying a _file_ key, the attacker redirects the require to an arbitrary path. Pairing this with an upload or log-poisoning primitive that writes PHP content yields Remote Code Execution.
public function renderPhpFile($_file_, $_params_ = [])
{
$_obInitialLevel_ = ob_get_level();
+ $_renderer_ = function () {
+ extract(func_get_arg(1), EXTR_OVERWRITE);
+ require func_get_arg(0);
+ };
ob_start();
ob_implicit_flush(false);
- extract($_params_, EXTR_OVERWRITE);
try {
- require $_file_;
+ call_user_func_array($_renderer_, [$_file_, $_params_]);
return ob_get_clean();
} catch (\Exception $e) {
while (ob_get_level() > $_obInitialLevel_) {
Source: GitHub Commit 109878b
The patch moves extract() and require inside an anonymous function invoked via call_user_func_array(). This isolates the symbol table so caller-supplied keys cannot overwrite $_file_ in the outer scope.
Detection Methods for CVE-2026-39850
Indicators of Compromise
- Unexpected require or include operations targeting paths outside the application's views/ directory tree
- PHP file writes in upload, cache, or session directories followed by view-rendering requests
- Web server access logs showing request parameters named _file_ or containing path-like values to view-rendering endpoints
- Outbound connections or process spawns originating from the PHP-FPM or web server process
Detection Strategies
- Conduct static analysis of application code to identify calls to render(), renderFile(), or renderPhpFile() where $params derives from request data such as $_GET, $_POST, or Yii::$app->request
- Enable PHP open_basedir restrictions and alert on require/include violations in error logs
- Inspect HTTP request bodies and query strings for the parameter key _file_ reaching Yii controllers
Monitoring Recommendations
- Monitor file integrity in writable directories such as runtime/, web/assets/, and any upload locations for newly created .php files
- Log and review all view->render* invocations with non-standard file path arguments
- Track process lineage from php-fpm, httpd, or nginx workers for unexpected child processes
How to Mitigate CVE-2026-39850
Immediate Actions Required
- Upgrade Yii 2 to version 2.0.55 or later, which contains the official fix
- Audit application code for any path where untrusted input is merged into the $params array passed to view rendering methods
- Restrict and validate file upload destinations to non-executable directories and confirm web server configuration prevents PHP execution there
Patch Information
The vulnerability is resolved in Yii 2 version 2.0.55. The fix isolates extract() and require inside an anonymous function so caller-controlled keys cannot overwrite the $_file_ variable. Review the GitHub Security Advisory GHSA-5vpg-rj7q-qpw2 and the upstream commit for full technical details.
Workarounds
- If upgrading is not immediately possible, sanitize $params arrays to remove reserved keys such as _file_, _params_, and _obInitialLevel_ before passing them to view methods
- Configure PHP open_basedir to restrict require/include operations to the application's view directories
- Ensure file upload directories are stored outside the document root and that the web server is configured to refuse PHP execution within them
# Composer upgrade to the patched release
composer require yiisoft/yii2:^2.0.55
composer update yiisoft/yii2
# Verify installed version
php -r "require 'vendor/autoload.php'; echo Yii::getVersion();"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
