Impact statement: CVE-2026-6722 is a critical PHP SOAP extension vulnerability affecting PHP 8.2 before 8.2.31, 8.3 before 8.3.31, 8.4 before 8.4.21, and 8.5 before 8.5.6. The PHP Group rates the issue CVSS 9.5. If a public application processes untrusted SOAP input on a vulnerable PHP build, the worst-case impact is remote code execution inside the web application account.
This is a patch and mitigation guide for hosting providers, WHM/cPanel admins, VPS owners, and WordPress operators. We are not publishing attack strings, request details, or lab notes. The useful public answer is inventory PHP, patch every active branch, restart services, verify the fixed versions, and review logs for suspicious application behavior.
Who Should Care
- WHM/cPanel servers using EasyApache 4 PHP packages.
- Plesk, DirectAdmin, Webmin/Virtualmin, and hand-built Apache/Nginx PHP-FPM servers.
- Containers, SaaS workers, billing systems, CRMs, legacy SOAP integrations, and API bridges running PHP.
- WordPress sites with plugins, themes, payment connectors, shipping connectors, or CRM integrations that enable or depend on PHP SOAP.
- Shared hosting providers where one vulnerable account can create cleanup, suspension, email reputation, and customer-notification problems.
If the SOAP extension is not installed and no application on the server uses it, exposure is lower. Still patch PHP, because the same May 2026 PHP releases include other security fixes across FPM, PDO Firebird, SOAP, Standard, MBString, DOM, and related components.
Patched PHP Targets
- PHP 8.2: update to 8.2.31 or a distro/vendor package that backports the fix.
- PHP 8.3: update to 8.3.31 or a distro/vendor package that backports the fix.
- PHP 8.4: update to 8.4.21 or a distro/vendor package that backports the fix.
- PHP 8.5: update to 8.5.6 or a distro/vendor package that backports the fix.
WHM/cPanel Patch Walkthrough
Use WHM first if you prefer the supported UI path: WHM > EasyApache 4, update the active PHP profiles, then confirm MultiPHP Manager still assigns the right PHP version to each site.
/usr/local/cpanel/cpanel -V
/usr/local/cpanel/scripts/upcp --force
dnf clean all
dnf update 'ea-php*' 'ea-apache24*' -y
/usr/local/cpanel/scripts/restartsrv_httpd
/usr/local/cpanel/scripts/restartsrv_apache_php_fpmAfter the update, verify the installed EasyApache PHP packages and the active PHP handler map.
rpm -qa | grep '^ea-php' | sort
/usr/local/cpanel/bin/rebuild_phpconf --current
php -v
php -m | grep -i '^soap$' || trueAlmaLinux, Rocky Linux, CloudLinux, And RHEL
On non-cPanel servers, update from your OS vendor, CloudLinux, Remi, or the PHP repository you actually use. Do not mix repositories blindly on production hosting nodes.
dnf clean all
dnf update 'php*' -y
php -v
php -m | grep -i '^soap$' || true
systemctl restart php-fpm httpd nginx 2>/dev/null || trueDebian And Ubuntu
Use your distro security repository or the PHP repository already configured on the server. Verify whether the package version is a new upstream release or a backported security build.
apt update
apt list --upgradable | grep -E '^php|php8'
apt upgrade
php -v
php -m | grep -i '^soap$' || true
systemctl restart apache2 nginx php*-fpm 2>/dev/null || trueContainers And App Stacks
- Rebuild PHP images from patched upstream base images.
- Pull updated images for official PHP, vendor PHP-FPM, and framework-specific runtime images.
- Redeploy workers and web containers, not just the reverse proxy.
- Confirm the runtime inside the container with
php -v. - Check whether the SOAP extension is installed in the image and whether the application actually needs it.
docker compose pull
docker compose build --pull
docker compose up -d
docker compose exec php php -v
docker compose exec php php -m | grep -i '^soap$' || trueTemporary Mitigation
Patching is the fix. If you cannot patch immediately, identify applications that use SOAP and restrict access to those services as much as the business allows. If an application does not need SOAP, disable the extension for that PHP version or pool after testing.
For shared hosting, do not disable SOAP globally without checking customer impact. Some payment, shipping, ERP, CRM, and legacy integrations still rely on it.
Post-Patch Review
- Confirm patched PHP versions for every branch still assigned to hosted sites.
- Restart Apache, Nginx, PHP-FPM pools, queue workers, and long-running PHP services.
- Review PHP-FPM, Apache, Nginx, application, and cPanel error logs for unusual crashes or repeated failures around SOAP/XML services.
- Review recently changed files in affected accounts if compromise is suspected.
- Reset credentials and notify customers if you find suspicious admin users, unfamiliar code changes, redirects, or malware indicators.
What To Tell Customers
A critical PHP SOAP security issue was published for several PHP branches. We patched or are patching the affected PHP builds, restarting web services, and checking for application errors. Sites that do not use SOAP have lower exposure, but the PHP update is still important because the same release batch fixes multiple PHP security issues.