From 680d393c99a672c85cefea79cbeb00f0f12ea10f Mon Sep 17 00:00:00 2001
From: Alexey Yuzhakov <alexei.yuzhakov@webpros.com>
Date: Wed, 20 May 2026 13:15:21 +0100
Subject: [PATCH] Restrict the deserialization of UI navigation structure to
 arrays

---
 src/Api/Operator/Ui.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Api/Operator/Ui.php b/src/Api/Operator/Ui.php
index c93dc3ce..fb56b001 100644
--- a/src/Api/Operator/Ui.php
+++ b/src/Api/Operator/Ui.php
@@ -12,7 +12,7 @@ public function getNavigation(): array
         $response = $this->request('get-navigation');
 
         /** @psalm-suppress ImplicitToStringCast, PossiblyNullArgument */
-        return unserialize(base64_decode($response->navigation));
+        return unserialize(base64_decode($response->navigation), ['allowed_classes' => false]);
     }
 
     public function createCustomButton(string $owner, array $properties): int