Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) | Advisories

Advisories

Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)

severity: high
date: January 15, 2026
Affecting: Laravel Valet 1.1.4 to 2.0.3
CVE: CVE-2021-47756
CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
CVSS: 8.4
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-50591
Laravel Valet Official Documentation
Credit: leonjza
Description: Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication.