Skip to main content

Symfony CVE-2026-45075

| EUVDEUVD-2026-44350 HIGH
Incorrect Authorization (CWE-863)
2026-05-27 https://github.com/symfony/symfony GHSA-6439-2f28-8p8q
8.3
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but requires a specific non-default method-scoped guard (AC:H); high integrity from unguarded side effects, low confidentiality from header leak, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 14, 2026 - 19:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 19:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:30 vuln.today
Analysis Generated
May 27, 2026 - 22:30 vuln.today

DescriptionCVE.org

Description

Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request.

On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped.

Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.

Resolution

When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.

AnalysisAI

Authorization bypass in Symfony 7.4.x (before 7.4.12) and 8.0.x (before 8.0.12) lets remote attackers reach controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] attributes configured with methods: ['GET'] by sending an HTTP HEAD request, which the router dispatches to the GET handler while the security check is silently skipped. Affected controllers still execute - leaking response headers (Content-Length, Location, custom headers) and performing side effects such as database writes - despite the missing authorization, signature, or CSRF validation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%), but the flaw is a genuine access-control gap fixed in 7.4.12 and 8.0.12.

Technical ContextAI

Symfony is a widely used PHP web framework. The affected code lives in the http-kernel and security-http Composer packages, specifically the attribute classes and their kernel event listeners (IsGrantedAttributeListener, IsSignatureValidAttributeListener, IsCsrfTokenValidAttributeListener). These attributes accept a methods argument so a check applies only to listed HTTP verbs; the listener compares the current request method against that list and skips enforcement when it does not match. Per HTTP/1.1 semantics (RFC 9110), a HEAD request is served by the same handler as GET but returns no body - Symfony's router therefore routes HEAD to the GET controller. Because the attribute list contained 'GET' but not 'HEAD', the method comparison failed for HEAD and the guard was bypassed while the controller still ran. This is a classic CWE-863 Incorrect Authorization: the access-control decision is keyed on an incomplete set of conditions. The fix normalizes methods to uppercase and automatically appends 'HEAD' whenever 'GET' is present, so HEAD is now covered by any GET-scoped check.

RemediationAI

Vendor-released patch: upgrade to Symfony 7.4.12 or 8.0.12 (run composer update symfony/http-kernel symfony/security-http, or symfony/symfony for the metapackage), which makes any methods list containing GET automatically include HEAD. The fixing commit is https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838 and releases are tagged at https://github.com/symfony/symfony/releases/tag/v7.4.12 and https://github.com/symfony/symfony/releases/tag/v8.0.12. If you cannot patch immediately, the actionable interim control is to explicitly add 'HEAD' alongside 'GET' in the methods argument of every affected attribute (e.g. methods: ['GET', 'HEAD']), which closes the specific bypass at the application level; alternatively remove the methods restriction so the guard applies to all verbs. As an infrastructure-level compensating control, configure a reverse proxy or WAF to block or rewrite HEAD requests to protected routes - trade-off: this can break legitimate clients and caches that rely on HEAD for metadata/existence checks, so scope it narrowly to sensitive endpoints. Review the GHSA-6439-2f28-8p8q advisory before deploying any mitigation.

Share

CVE-2026-45075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy