How is CVE-2026-45034 exploited?

Network reachability (required): The vulnerable IOFactory::load call must be reachable over the network, meaning an attacker can supply a crafted filename to the application from a remote connection. Authentication (not-required): No credentials or session are needed; the CVSS vector specifies PR:N, so any unauthenticated request that reaches the file-load code path is sufficient. Victim interaction (not-required): No user action is required on the target side; the CVSS vector specifies UI:N, so the exploit executes without social engineering or user clicks. Attack complexity (info): The base exploit is reliable and condition-free (AC:L), though the CVSS vector notes an attack requirement of AT:P, meaning the attacker must be able to control the filename argument passed to IOFactory::load, which depends on how the application exposes that input.

What is the impact of CVE-2026-45034?

On PHP 7.x, a successful attacker executes arbitrary code on the host running PhpSpreadsheet by triggering deserialization of attacker-controlled phar metadata, invoking __wakeup and __destruct magic methods on arbitrary objects. On PHP 8.x without Phar::getMetadata calls, a successful attacker reads arbitrary files accessible to the PHP process by redirecting file operations through the phar wrapper. If the application or any downstream library calls Phar::getMetadata on PHP 8.x, the attacker regains full remote code execution through the same deserialization chain. In all cases the CVSS v4.0 impact tokens indicate high confidentiality, integrity, and availability impact: the attacker reads sensitive data, modifies or deletes files and application state, and disrupts service availability on the affected host.

Back to search

CRITICALCVE-2026-45034Published 2026-06-22Modified 2026-06-22CNA GitHub_M

CVE-2026-45034: PhpSpreadsheet: File::prohibitWrappers bypass

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.5, CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parse_url($filename, PHP_URL_SCHEME) and then checks is_string($scheme) && strlen($scheme) > 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path contain a wrapper". When the input has the form phar:///path/file.phar/inner with three or more slashes after the scheme, parse_url returns boolean false instead of returning the scheme string. The is_string($scheme) branch is therefore skipped, the helper returns without throwing, and the caller proceeds. PHP's stream layer, however, still treats phar:///... as a valid phar wrapper and opens the underlying phar file. The result is that IOFactory::load($attackerPath) walks past the patch and still touches the phar wrapper. On PHP 7.x, simply reaching the phar wrapper via is_file is enough for PHP to automatically deserialize the phar metadata, which in turn invokes the magic methods __wakeup and __destruct of an attacker controlled object and gives full RCE. On PHP 8.x, automatic metadata deserialization for plain file ops was removed, so the chain at the PhpSpreadsheet layer reduces to a phar wrapper file read primitive, and RCE only resurfaces if the downstream consumer ever calls Phar::getMetadata. This vulnerability is fixed in 1.30.5.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass and phar deserialization vulnerability in PHPOffice/PhpSpreadsheet affecting all versions before 1.30.5. The flaw is reachable over the network with no authentication required: a crafted filename using three or more slashes after the phar:// scheme (for example, phar:///path/file.phar/inner) causes the File::prohibitWrappers helper to silently skip its validation, allowing PHP's stream layer to open the phar file anyway. On PHP 7.x, this gives an unauthenticated remote attacker full remote code execution by triggering automatic phar metadata deserialization; on PHP 8.x the immediate impact is an arbitrary file read via the phar wrapper, with RCE possible if the application calls Phar::getMetadata on the returned data. HarborGuard tracks this advisory and will make a patched-image rebuild available once fix version 1.30.5 is confirmed publishable upstream. NOTE: The description states a fix exists at 1.30.5, so a patched-image rebuild at 1.30.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including GitHub Advisory Database) within minutes of publication and matched against all customer images, including internally built images that bundle PhpSpreadsheet as a dependency. Any image whose manifest resolves to a PHPOffice/PhpSpreadsheet version below 1.30.5 is flagged immediately.

Available

Triage

HarborGuard scores this CVE at CVSS 9.2 (Critical) using the v4.0 vector and weights that score against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the team or inbox configured in each customer's notification policy, so the right engineers are alerted without manual triage.

Available

Patch

A patched-image rebuild at PhpSpreadsheet 1.30.5 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable IOFactory::load call must be reachable over the network, meaning an attacker can supply a crafted filename to the application from a remote connection.
AuthenticationNot required
No credentials or session are needed; the CVSS vector specifies PR:N, so any unauthenticated request that reaches the file-load code path is sufficient.
Victim interactionNot required
No user action is required on the target side; the CVSS vector specifies UI:N, so the exploit executes without social engineering or user clicks.
Attack complexityDetail
The base exploit is reliable and condition-free (AC:L), though the CVSS vector notes an attack requirement of AT:P, meaning the attacker must be able to control the filename argument passed to IOFactory::load, which depends on how the application exposes that input.

Blast Radius

On PHP 7.x, a successful attacker executes arbitrary code on the host running PhpSpreadsheet by triggering deserialization of attacker-controlled phar metadata, invoking __wakeup and __destruct magic methods on arbitrary objects.
On PHP 8.x without Phar::getMetadata calls, a successful attacker reads arbitrary files accessible to the PHP process by redirecting file operations through the phar wrapper.
If the application or any downstream library calls Phar::getMetadata on PHP 8.x, the attacker regains full remote code execution through the same deserialization chain.
In all cases the CVSS v4.0 impact tokens indicate high confidentiality, integrity, and availability impact: the attacker reads sensitive data, modifies or deletes files and application state, and disrupts service availability on the affected host.

How HarborGuard Handles This

Available on HarborGuard: detection against all customer images is active immediately upon CVE publication, matching any image that packages PHPOffice/PhpSpreadsheet below version 1.30.5. Because a fix exists at 1.30.5, a patched-image rebuild is available for any environment where the affected library is present. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fixed version, runs a regression test suite, and opens a pull request against affected workloads; for critical-severity issues, median time from publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with the fix version clearly marked so engineers can act manually. Until a rebuild is applied, consider applying network policy controls that restrict which services can pass user-controlled filenames to PhpSpreadsheet's IOFactory::load, and validate that no external input reaches that code path without sanitization.

See how HarborGuard automates this

Affected packages

PHPOffice / PhpSpreadsheet
< 1.30.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-87m4-826x-3crx

Metrics

Get notified