CVE-2020-36326
Description
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHPMailer 6.1.8 through 6.4.0 allows object injection via Phar deserialization when adding a UNC pathname as an attachment.
Vulnerability
PHPMailer versions 6.1.8 through 6.4.0 are vulnerable to object injection through Phar deserialization. The flaw resides in the addAttachment() method, where user-supplied pathnames are not sufficiently sanitized. Specifically, when a UNC pathname (e.g., \\server\share\file.phar) is passed, the code introduced in version 6.1.8 to fix a functionality problem inadvertently removed the prior blocking mechanism. This allows an attacker to supply a phar:// URI that triggers deserialization of a Phar archive when the file is accessed. The affected versions are explicitly those after the 6.1.8 fix and before the 6.4.1 patch. [1][2][3]
Exploitation
An attacker must be able to control the $path parameter passed to addAttachment(), which typically requires some level of user input or file upload handling. The attacker provides a UNC path (starting with \\) that points to a malicious Phar file hosted on a remote SMB share. When PHPMailer processes this path, it calls file_exists() and is_readable() without first sanitizing the phar:// wrapper, leading to Phar deserialization. No authentication is needed if the application exposes the attachment functionality to unauthenticated users. The attacker must also host an SMB server serving the crafted Phar file. [1][2][3]
Impact
Successful exploitation results in arbitrary object instantiation and deserialization, which can lead to remote code execution (RCE) depending on the available gadget chains in the PHP environment. The attacker can potentially execute arbitrary commands, read sensitive files, or otherwise compromise the application and underlying server. The impact is severe, with a CVSS score of 9.8 (Critical). [2]
Mitigation
The vulnerability is fixed in PHPMailer version 6.4.1, released on April 27, 2021. Users should upgrade immediately to 6.4.1 or later. The fix introduces a new fileIsAccessible() method that properly checks file permissions while still allowing UNC paths when appropriate, without exposing the phar:// deserialization vector. No workaround is available; upgrading is the only complete mitigation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmailer/phpmailerPackagist | >= 6.1.8, < 6.4.1 | 6.4.1 |
Affected products
5- PHPMailer/PHPMailerdescription
- osv-coords4 versionspkg:bitnami/phpmailerpkg:bitnami/wordpresspkg:bitnami/wordpress-multisitepkg:composer/phpmailer/phpmailer
>= 6.1.8, < 6.4.1+ 3 more
- (no CPE)range: >= 6.1.8, < 6.4.1
- (no CPE)range: >= 3.7.0, < 3.7.36
- (no CPE)range: >= 3.7.0, < 3.7.36
- (no CPE)range: >= 6.1.8, < 6.4.1
Patches
21e2e07a355ee8Proposed fix for #2069
2 files changed · +24 −4
src/PHPMailer.php+21 −4 modified@@ -1753,6 +1753,23 @@ protected static function isPermittedPath($path) return !preg_match('#^[a-z]+://#i', $path); } + /** + * Check whether a file path is safe, accessible, and readable. + * + * @param string $path A relative or absolute path to a file + * + * @return bool + */ + protected static function fileIsAccessible($path) + { + $readable = file_exists($path); + //If not a UNC path (expected to start with \\), check read permission, see #2069 + if (strpos($path, '\\\\') !== 0) { + $readable = $readable && is_readable($path); + } + return static::isPermittedPath($path) && $readable; + } + /** * Send mail using the PHP mail() function. * @@ -2141,7 +2158,7 @@ public function setLanguage($langcode = 'en', $lang_path = '') // There is no English translation file if ('en' !== $langcode) { // Make sure language file path is readable - if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) { + if (!static::fileIsAccessible($lang_file)) { $foundlang = false; } else { // Overwrite language-specific strings. @@ -2970,7 +2987,7 @@ public function addAttachment( $disposition = 'attachment' ) { try { - if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) { + if (!static::fileIsAccessible($path)) { throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE); } @@ -3144,7 +3161,7 @@ protected function attachAll($disposition_type, $boundary) protected function encodeFile($path, $encoding = self::ENCODING_BASE64) { try { - if (!static::isPermittedPath($path) || !file_exists($path) || !is_readable($path)) { + if (!static::fileIsAccessible($path)) { throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE); } $file_buffer = file_get_contents($path); @@ -3530,7 +3547,7 @@ public function addEmbeddedImage( $disposition = 'inline' ) { try { - if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) { + if (!static::fileIsAccessible($path)) { throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE); }
test/PHPMailerTest.php+3 −0 modified@@ -1476,6 +1476,9 @@ public function testAltBodyAttachment() return; } + //Test using non-existent UNC path + self::assertFalse($this->Mail->addAttachment('\\\\nowhere\nothing')); + $this->buildBody(); self::assertTrue($this->Mail->send(), $this->Mail->ErrorInfo); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-m298-fh5c-jc66ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-36326ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yamlghsaWEB
- github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9ghsax_refsource_MISCWEB
- github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1ghsaWEB
- github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVTghsaWEB
News mentions
0No linked articles in our index yet.