Scramble Remote Code Execution Vulnerability Discovered

Scramble Remote Code Execution Vulnerability 🚨

An exploit titled “scramble - Remote Code Execution” was reported on May 7, 2026 by Joshua van der Poll. This vulnerability, identified as CVE-2026-44262, affects dedoc/scramble versions >=0.13.2 and <0.13.22.

Vulnerability Details

The technique involves extract() + eval() in NodeRulesEvaluator::doEvaluateExpression(), which allows an attacker to overwrite Scramble’s internal $code variable with arbitrary PHP via a query parameter on /docs/api.json. The exploit has been tested on Linux 6.10.14-linuxkit (aarch64), macOS, and Windows.

Attack Methodology

The attack targets query parameters within OpenAPI specifications. Vulnerable parameters are identified where schema defaults match Laravel rule keywords, such as “required|nullable|string|integer|numeric|boolean|array|min:|max:|in:”, or contain a pipe character. The exploit constructs a malicious URL using the /docs/api.json path, appending the crafted query parameter with the PHP payload. Output from print/echo appears before the JSON in the response body, allowing for capture of command execution results.

Probing for Vulnerability

Probing for this vulnerability includes a timing probe, where a sleep() payload is sent to measure response delays. If the response is delayed by approximately the SLEEP_SECONDS value (4 seconds in the provided example), the target is considered vulnerable. A command execution probe can further confirm exploitability by executing commands like “whoami” on Windows or “id 2>&1” on Unix-like systems, and capturing the output. The exploit enables attackers to read files, execute raw PHP code, and initiate reverse shells. The target operating system can be detected by printing php_uname('s'), which helps in crafting OS-specific payloads, such as writing proof files to “/tmp/scramble_rce_proof.txt” for Unix or “C:\Windows\Temp\scramble_rce_proof.txt” for Windows.

To read the complete article see: Read full article