Symfony Framework CVE-2026-45075
MEDIUM
GHSA-6439-2f28-8p8q
Lifecycle Timeline
2DescriptionNVD
Description
Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request.
On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped.
Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.
Resolution
When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically.
The patch for this issue is available here for branch 7.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.
AnalysisAI
Authorization bypass in Symfony's HTTP method-scoped security attributes allows controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] with a methods: ['GET'] filter to be reached via HEAD requests with all security checks silently skipped. Affected packages symfony/http-kernel and symfony/security-http versions 7.4.0-7.4.11 and 8.0.0-8.0.11 are vulnerable. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today