Which versions of Symfony Mime are affected by CVE-2026-45067?

Symfony's Mime email component contains a critical vulnerability allowing attackers to inject unauthorized email headers and SMTP commands into messages, potentially redirecting sensitive…. A patch is available.

Symfony Mime CVE-2026-45067

HIGH

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-05-27 https://github.com/symfony/symfony

GHSA-qpmx-3rfj-7rhv

Information Disclosure

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 23:06 vuln.today

Analysis Generated

May 27, 2026 - 23:06 vuln.today

DescriptionNVD

Description

Symfony\Component\Mime\Address is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.

The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 *quoted string* containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into (1) the rendered message headers and (2) SmtpTransport's MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.

Resolution

The Address constructor now rejects addresses containing line breaks.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. …

RemediationAI

Within 24 hours: Identify all Symfony installations and document versions of symfony/mime or symfony/symfony in use. Within 7 days: Apply vendor patches-upgrade to symfony/mime 5.4.52, 6.4.40, or 7.4.12 (depending on version line) or corresponding symfony/symfony versions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45067 vulnerability details – vuln.today

Back