Laravel-Backup-Restore OS Command Injection (CVE-2026-53932)
A critical OS command injection vulnerability, tracked as CVE-2026-53932, exists in the wnx/laravel-backup-restore package (versions <= 1.9.3), allowing an attacker to execute arbitrary shell commands on the hosting system by crafting a malicious backup archive with shell metacharacters in a database dump filename, leading to application compromise, data tampering, and potential lateral movement.
A significant OS command injection vulnerability, identified as CVE-2026-53932, affects the wnx/laravel-backup-restore package in versions prior to 1.9.4. This flaw allows an attacker to achieve arbitrary command execution on systems performing database restores. The vulnerability arises because the package improperly handles filenames within backup archives. When a specially crafted ZIP archive containing shell metacharacters in a database dump filename under the db-dumps directory is restored, the laravel-backup-restore package interpolates these unescaped filenames directly into database import commands. This execution occurs via Symfony's Process::fromShellCommandline(), which causes the shell metacharacters to be interpreted by /bin/sh on Unix-like systems or the platform shell on Windows. Successful exploitation can lead to full compromise of the application and the underlying server, operating with the privileges of the PHP/Laravel application user. This issue is not related to malicious SQL content but rather the structure of the backup archive's filenames.
Attack Chain
- An attacker crafts a malicious backup archive (e.g., a ZIP file) containing a
db-dumpsdirectory. - Inside the
db-dumpsdirectory, the attacker includes a database dump file with a filename that contains shell metacharacters (e.g.,dump.sql; cat /etc/passwd > /tmp/pwned.txt). - The malicious backup archive is introduced to the target system, potentially through a compromised source, malicious upload, or direct access.
- An operator or automated process on the target system initiates a database restore operation using the vulnerable
laravel-backup-restorepackage. - During the restore, the package extracts the ZIP archive and identifies the database dump file within the
db-dumpsdirectory. - The
laravel-backup-restorepackage constructs a shell command (e.g.,mysql ... < {dumpFile}) for database import, interpolating the unescaped malicious filename directly into the command string. - The underlying Symfony
Process::fromShellCommandline()executes the constructed command via/bin/shor the platform shell, interpreting the shell metacharacters and executing the attacker's injected arbitrary commands (e.g.,cat /etc/passwd). - The attacker's commands are executed on the server, leading to application compromise, data exfiltration, or further post-exploitation activities.
Impact
Successful exploitation of CVE-2026-53932 allows an attacker to execute arbitrary shell commands as the PHP/Laravel application user on the system performing the database restore. This can lead to a severe compromise of the affected application and the underlying server. Consequences include unauthorized access to sensitive data, such as database credentials and application secrets, complete data tampering or destruction, and the installation of backdoors for persistent access. Depending on the permissions of the PHP user, attackers could achieve lateral movement within the network or elevate privileges, turning a simple restore operation into a full system compromise. The severity of the impact is high given the potential for complete control over the compromised server.
Recommendation
- Immediately upgrade
wnx/laravel-backup-restoreto version 1.9.4 or higher to patch CVE-2026-53932. - Deploy the Sigma rules titled "Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Windows)" and "Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Linux)" to your SIEM solution.
- Ensure process creation logging is enabled for
phpand its child processes on all Windows and Linux servers running Laravel applications. - Review existing automated backup restore workflows and any manual restore procedures to minimize exposure to untrusted backup archives.
Detection coverage 2
Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Windows)
highDetects exploitation of CVE-2026-53932 where the Laravel-Backup-Restore package's PHP process spawns suspicious shell commands or utilities on Windows due to OS command injection. This indicates arbitrary code execution.
Detect CVE-2026-53932 Exploitation - PHP Process Spawning Suspicious Commands (Linux)
highDetects exploitation of CVE-2026-53932 where the Laravel-Backup-Restore package's PHP process spawns suspicious shell commands or utilities on Linux due to OS command injection. This indicates arbitrary code execution.
Detection queries are available on the platform. Get full rules →