diff --git a/lib/private/TaskProcessing/Manager.php b/lib/private/TaskProcessing/Manager.php
index 6821aee65a002..dc6a2cec0865b 100644
--- a/lib/private/TaskProcessing/Manager.php
+++ b/lib/private/TaskProcessing/Manager.php
@@ -939,7 +939,17 @@ public function getAvailableTaskTypes(bool $showDisabled = false, ?string $userI
 		if ($this->availableTaskTypes === null) {
 			$cachedValue = $this->distributedCache->get($cacheKey);
 			if ($cachedValue !== null) {
-				$this->availableTaskTypes = unserialize($cachedValue);
+				// Restrict deserialization to the exact value-object classes stored in
+				// this cache entry. Bare unserialize() would allow an attacker who
+				// can write to the distributed cache backend to trigger PHP Object
+				// Injection via arbitrary gadget chains loaded in the process.
+				$this->availableTaskTypes = unserialize($cachedValue, [
+					'allowed_classes' => [
+						ShapeDescriptor::class,
+						ShapeEnumValue::class,
+						EShapeType::class,
+					],
+				]);
 			}
 		}
 		// Either we have no cache or showDisabled is turned on, which we don't want to cache, ever.