Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45247

CVE-2026-45247: Magento Full Page Cache Warmer RCE Flaw

CVE-2026-45247 is a remote code execution vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 that allows unauthenticated attackers to execute arbitrary code via crafted serialized objects. This article covers the exploitation mechanism, affected versions, and security patches.

Published:

CVE-2026-45247 Overview

CVE-2026-45247 is a PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 versions prior to 1.11.12. The flaw stems from an unrestricted call to PHP's native unserialize() function on data supplied through the CacheWarmer cookie. Unauthenticated remote attackers can submit a crafted serialized PHP object and trigger gadget chains present in Magento and its dependencies, leading to arbitrary code execution on the server. The issue is tracked under [CWE-502: Deserialization of Untrusted Data].

Critical Impact

Unauthenticated attackers can achieve remote code execution on Magento 2 storefronts running vulnerable Mirasvit Cache Warmer builds by sending a single HTTP request with a malicious cookie.

Affected Products

  • Mirasvit Full Page Cache Warmer for Magento 2 versions before 1.11.12
  • Magento 2 stores that load the mirasvit/module-cache-warmer Composer package
  • Deployments that expose the CacheWarmer cookie handling logic to unauthenticated traffic

Discovery Timeline

  • 2026-05-26 - CVE-2026-45247 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-45247

Vulnerability Analysis

The Mirasvit Full Page Cache Warmer module reads the CacheWarmer HTTP cookie and passes its contents directly to PHP's unserialize() function without validation or allowed-class restrictions. PHP unserialization reconstructs arbitrary objects, invoking magic methods such as __wakeup(), __destruct(), and __toString() during object lifecycle handling. Attackers chain these magic methods through classes shipped with Magento, Laminas, Symfony, and Guzzle to reach sensitive sinks including file writes, SQL execution, and command execution. The result is unauthenticated remote code execution under the web server account, granting full control over the Magento storefront, admin panel, and customer data.

Root Cause

The root cause is unsafe deserialization of attacker-controlled input. The module trusts the CacheWarmer cookie value and feeds it to unserialize() without using allowed_classes => false, JSON encoding, or a signed payload format. Magento 2 ships large class libraries that contain known gadget chains, so any unrestricted call to unserialize() on user input is exploitable in this environment.

Attack Vector

Exploitation requires only network access to the storefront. An attacker sends an HTTP request to any page handled by the Cache Warmer with a CacheWarmer cookie containing a crafted serialized object graph. When the module deserializes the cookie, the gadget chain executes during object construction or destruction, before authentication or session checks complete. No user interaction or prior credentials are required.

Verified exploitation code is not provided here. See the Sansec Research on Object Injection and the VulnCheck Advisory on Magento Injection for technical write-ups and gadget chain details.

Detection Methods for CVE-2026-45247

Indicators of Compromise

  • HTTP requests containing a CacheWarmer cookie whose value begins with serialized PHP markers such as O:, a:, or C: followed by a class name and length.
  • New or modified PHP files under pub/, var/, or app/etc/ directories created by the web server user without a corresponding deployment.
  • Outbound connections from the Magento application server to unknown hosts immediately after suspicious CacheWarmer cookie traffic.
  • Web shells, cron entries, or scheduled Magento jobs added outside normal change windows.

Detection Strategies

  • Inspect web server and reverse proxy logs for Cookie: headers containing CacheWarmer= values that decode to PHP serialized structures.
  • Add web application firewall rules that block or flag requests where the CacheWarmer cookie matches PHP serialization regular expressions.
  • Monitor PHP-FPM and Apache error logs for unserialize warnings, class-not-found errors, and unexpected magic method invocations referencing Magento or vendor classes.

Monitoring Recommendations

  • Alert on PHP processes spawning shell interpreters such as sh, bash, php -r, or python from the Magento document root.
  • Track integrity of the vendor/mirasvit/ directory and the Magento app/etc/env.php configuration file for unauthorized changes.
  • Forward web, application, and host telemetry to a centralized analytics platform and correlate cookie-based payload patterns with subsequent process and file system activity.

How to Mitigate CVE-2026-45247

Immediate Actions Required

  • Upgrade mirasvit/module-cache-warmer to version 1.11.12 or later using Composer and redeploy the Magento application.
  • If patching cannot occur immediately, disable the Mirasvit Full Page Cache Warmer module and clear compiled code and caches.
  • Block or strip the CacheWarmer cookie at the edge using the web application firewall or reverse proxy until the patched version is in production.
  • Rotate Magento admin credentials, API keys, encryption keys in app/etc/env.php, and database passwords if exploitation is suspected.

Patch Information

Mirasvit released a fixed build in version 1.11.12 of the Cache Warmer module. Apply the update with composer require mirasvit/module-cache-warmer:^1.11.12, followed by bin/magento setup:upgrade and bin/magento setup:di:compile. Refer to the Mirasvit Package Changelog for release notes and verification steps.

Workarounds

  • Configure the WAF to drop any request where the CacheWarmer cookie value matches PHP serialization patterns such as ^[Oa]:\d+:.
  • Temporarily remove or disable the Cache Warmer controllers and observers via app/etc/config.php until the upgrade is applied.
  • Restrict storefront access to known IP ranges during the remediation window for sites that support such filtering.
bash
# Update the Mirasvit Cache Warmer module to the fixed version
composer require mirasvit/module-cache-warmer:^1.11.12
bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento cache:flush

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.