PHP patches SOAP extension flaw that can lead to remote code execution
6 min. read 
Published on
PHP maintainers have fixed a serious SOAP extension vulnerability that can let remote attackers execute code on vulnerable servers in some configurations.
The flaw is tracked as CVE-2026-6722 and affects PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6. It sits in the ext-soap component and comes from a use-after-free bug in how PHP handles SOAP object references.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Administrators who run PHP applications with the SOAP extension enabled should update immediately. The same PHP releases also fix related SOAP denial-of-service bugs and additional issues in standard PHP functions and mbstring.
What PHP fixed
The most important fix addresses CVE-2026-6722, a use-after-free issue in the PHP SOAP extension. The bug affects how ext-soap deduplicates objects in an XML graph through id and href attributes.
During SOAP XML processing, PHP stores object pointers in a global reference map. The vulnerable code failed to increase the reference count for those objects. Under a crafted Apache Map structure, an attacker can cause PHP to free an object while a stale pointer remains available.
That stale pointer can later get reused. GitHub’s advisory says an attacker can gain high control over the freed memory region by allocating plain strings, which can lead to remote code execution.
At a glance
| Item | Details |
|---|---|
| Main vulnerability | CVE-2026-6722 |
| Affected component | PHP ext-soap |
| Bug type | Use-after-free |
| Impact | Remote code execution through crafted SOAP request data |
| Affected versions | PHP before 8.2.31, 8.3.31, 8.4.21, and 8.5.6 |
| Fixed versions | PHP 8.2.31, 8.3.31, 8.4.21, and 8.5.6 |
Why the SOAP flaw is dangerous
SOAP remains common in older enterprise applications, payment systems, internal APIs, CRM integrations, and business platforms. Many of these systems still process XML requests from network-facing services.
If an application exposes a vulnerable SoapServer endpoint to untrusted users, CVE-2026-6722 can become a high-risk entry point. The attacker needs control over the SOAP request body.
The issue does not require a normal login in the vulnerability description. NVD lists the CVSS 3.1 vector as network attackable, low complexity, no privileges required, and no user interaction required.
Other SOAP vulnerabilities patched
PHP also fixed CVE-2026-7261, another use-after-free issue in SoapServer. This bug involves session-persisted handler objects and SOAP header parsing failures.
When SOAP_PERSISTENCE_SESSION is used, PHP can persist a SOAP handler object between requests through session storage. GitHub’s advisory says the affected code failed to handle that persistence mode correctly in some failure paths.
PHP also fixed CVE-2026-7262, a NULL pointer dereference in the SOAP Apache Map decoder. A crafted SOAP message with a missing value element can crash the PHP SOAP server process, leading to denial of service.
Key vulnerabilities
| CVE | Component | Issue | Main impact | Fixed in |
|---|---|---|---|---|
| CVE-2026-6722 | ext-soap | Use-after-free with Apache Map object references | Remote code execution | 8.2.31, 8.3.31, 8.4.21, 8.5.6 |
| CVE-2026-7261 | ext-soap | Use-after-free after SOAP header parsing failure | Memory corruption risk | 8.2.31, 8.3.31, 8.4.21, 8.5.6 |
| CVE-2026-7262 | ext-soap | NULL pointer dereference in Apache Map decoding | Denial of service | 8.2.31, 8.3.31, 8.4.21, 8.5.6 |
| CVE-2026-7258 | Standard functions | Signed char handling issue in ctype calls used by functions such as urldecode() | Denial of service on some platforms | 8.2.31, 8.3.31, 8.4.21, 8.5.6 |
| CVE-2026-6104 | mbstring | Out-of-bounds access in encoding-name parsing | Information disclosure risk | 8.4.21, 8.5.6 |
The urldecode and mbstring fixes also matter
CVE-2026-7258 affects PHP standard functions, including urldecode(). The issue comes from passing signed char values to ctype functions, which can cause out-of-bounds access on platforms with signed char behavior and optimized ctype table lookups.
NVD says this can trigger denial of service on systems such as NetBSD. While this bug does not carry the same impact as the SOAP RCE flaw, it still matters for applications that process untrusted URL-encoded input.
CVE-2026-6104 affects mbstring. PHP’s changelog describes the fix as an out-of-bounds access issue in mbfl_name2encoding_ex(). Security coverage describes it as a buffer over-read risk when parsing malformed encoding names.
Who needs to update first
Servers that expose SOAP endpoints to the internet should move first. This includes public APIs, partner integrations, legacy business services, and applications that accept SOAP XML from external users.
Internal SOAP services should also receive attention. Attackers often use internal services after gaining a foothold elsewhere in a network, and SOAP endpoints may not receive the same monitoring as newer APIs.
Hosts running PHP on shared infrastructure need careful review because a single vulnerable runtime can support several applications. Administrators should confirm the PHP version used by the web server, CLI jobs, workers, and containers.
What administrators should do now
- Upgrade PHP to 8.2.31, 8.3.31, 8.4.21, or 8.5.6.
- Check whether the SOAP extension is enabled on production systems.
- Disable ext-soap where applications do not need it.
- Review internet-facing SOAP endpoints for exposure.
- Restart PHP-FPM, Apache, Nginx workers, queues, and long-running services after patching.
- Rebuild containers and base images that include vulnerable PHP versions.
- Check logs for unusual SOAP requests using id, href, or apache:Map structures.
Why version checks can be misleading
Administrators should not rely only on the system package version shown by one command. Many servers run multiple PHP runtimes at the same time.
A host may use one PHP version for Apache, another for PHP-FPM, and another inside containers or scheduled jobs. Attackers only need the exposed vulnerable path to remain active.
Teams should check phpinfo pages, command-line PHP, web server module versions, container images, CI/CD build images, and package manager records before closing the incident.
PHP SOAP users should treat this as urgent
CVE-2026-6722 gives attackers a path from crafted SOAP input to memory corruption and possible remote code execution. That puts vulnerable SOAP services in a higher-risk category than a normal crash bug.
The fix is available now in supported PHP branches. Organizations should patch quickly, reduce SOAP exposure, and disable the extension anywhere it is not required.
Legacy PHP services often remain online for years because they support business-critical integrations. These systems should move into the first wave of patching rather than waiting for routine maintenance windows.
FAQ
CVE-2026-6722 is a use-after-free vulnerability in PHP’s SOAP extension. It can allow remote code execution when an attacker controls a crafted SOAP request body.
PHP versions before 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are affected by CVE-2026-6722.
The fixes are included in PHP 8.2.31, PHP 8.3.31, PHP 8.4.21, and PHP 8.5.6. The mbstring issue CVE-2026-6104 is fixed in PHP 8.4.21 and 8.5.6.
Administrators should disable ext-soap if their applications do not need it. Systems that require SOAP should be patched and reviewed for exposed endpoints.
CVE-2026-7262 is described as a NULL pointer dereference that can crash the PHP SOAP server process. It is mainly a denial-of-service issue, not the main remote code execution flaw.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages