Symfony Security-HTTP CVE-2026-45069
MEDIUM
GHSA-29fc-p6c4-24cg
Lifecycle Timeline
2DescriptionNVD
Description
OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager.
OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits aud, iss, and exp therefore passes verification.
Resolution
The OidcTokenHandler now calls the ClaimCheckerManager with the list of mandatory claims so that tokens missing aud, iss, or exp are rejected.
The patch for this issue is available here for branch 6.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
Symfony's OidcTokenHandler accepts bearer JWTs that omit the audience (aud), issuer (iss), and expiry (exp) claims, bypassing critical security constraints enforced by OpenID Connect. Applications using symfony/security-http's OIDC access-token authentication are exposed to authentication bypass: an attacker presenting a validly-signed JWT that simply lacks these claims will be authenticated without audience binding, issuer verification, or expiry enforcement. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today