Fix spatie/laravel-permission — CVE-2023-26490 HIGH
Fix CVE-2023-26490 (HIGH) in spatie/laravel-permission for PHP. Paste your composer.json into PackageFix and get a patched version — no CLI, no signup. Privilege escalation via permission cache poisoning.
⚠ Vulnerability
CVE-2023-26490 (HIGH) — privilege escalation via permission cache poisoning in spatie/laravel-permission below ^6.0.
Vulnerable — composer.json
"spatie/laravel-permission": "^5.0"
Fixed — composer.json
"spatie/laravel-permission": "^6.0"
✓ Fix
Update spatie/laravel-permission to ^6.0 and run composer install.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2023-26490 |
| Severity | HIGH |
| Package | spatie/laravel-permission (PHP) |
| Safe version | ^6.0 |
| CISA KEV | — |
| Description | Privilege escalation via permission cache poisoning |
Frequently Asked Questions
What is CVE-2023-26490?
CVE-2023-26490 is a HIGH severity vulnerability in spatie/laravel-permission (PHP) that allows privilege escalation via permission cache poisoning. Update to ^6.0 or later.
How do I fix CVE-2023-26490 in spatie/laravel-permission?
Update spatie/laravel-permission to version ^6.0 in your composer.json and run composer install.
Is CVE-2023-26490 being actively exploited?
Check packagefix.dev — the CISA KEV catalog updates daily.
How do I verify the fix for CVE-2023-26490?
After updating, paste your composer.json into PackageFix again. If CVE-2023-26490 no longer appears in the CVE table, the fix is applied.