Skip to main content

Symfony Webhook Bridges CVE-2026-45754

| EUVDEUVD-2026-44360 MEDIUM
Improper Authentication (CWE-287)
2026-05-28 https://github.com/symfony/symfony GHSA-64hg-93w9-fc35
6.9
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 19:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 28, 2026 - 17:45 vuln.today
Analysis Generated
May 28, 2026 - 17:45 vuln.today

DescriptionCVE.org

Description

The Mailjet mailer bridge and the LOX24 SMS notifier bridge both ship webhook request parsers used to authenticate and decode the event callbacks each provider POSTs to an application's webhook endpoint. Their doParse(Request $request, #[\SensitiveParameter] string $secret) methods receive the configured webhook secret but never read it; they convert and return the payload unconditionally.

As a result, an application that wires up either webhook endpoint accepts any POST to that URL, even when a webhook secret is configured (the recommended setup). An attacker who knows the endpoint exists can submit forged event payloads, fake bounce / blocked / spam / open / click / delivery events, leading to suppression-list corruption, delivery-metrics fraud, etc.

Resolution

MailjetRequestParser::doParse() now rejects the request unless it carries the expected HTTP Basic credentials, Mailjet's webhook authentication mechanism, using a constant-time comparison. The configured webhook secret is matched against the credentials embedded in the Mailjet webhook URL as user:password (use :password when the URL has no username).

Lox24RequestParser::doParse() now rejects the request unless it carries an X-LOX24-Token HTTP header whose value matches the configured secret, using a constant-time comparison. The same token must be configured in the LOX24 dashboard under the callback settings.

When no secret is configured the behaviour is unchanged: webhook authentication remains opt-in, but it is now actually enforced once opted in.

The Mailjet patch is available here for branch 6.4.

The LOX24 patch is available here for branch 7.4 (the LOX24 bridge was introduced in 7.1 and is not present in 6.4).

Credits

Symfony would like to thank Himanshu Anand for reporting the issue, and Alexandre Daubois and Nicolas Grekas for providing the fixes.

AnalysisAI

Unauthenticated webhook event injection in Symfony's Mailjet Mailer and LOX24 SMS Notifier bridges allows remote attackers to POST arbitrary forged payloads to an application's webhook endpoint, even when a webhook secret is configured. The root cause is that both MailjetRequestParser::doParse() and Lox24RequestParser::doParse() accept a secret parameter but silently discard it, returning the payload unconditionally. Attackers who can discover the webhook URL can fabricate bounce, spam, open, click, or delivery events, leading to suppression-list corruption and delivery-metrics fraud. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected components are the Symfony Mailjet Mailer bridge (symfony/mailjet-mailer) and the Symfony LOX24 SMS Notifier bridge (symfony/lox24-notifier), both part of the broader symfony/symfony monorepo (CPE: pkg:composer/symfony_symfony, pkg:composer/symfony_mailjet-mailer, pkg:composer/symfony_lox24-notifier). These bridges implement the Symfony Webhook component pattern, where third-party providers POST event callbacks to an application-defined URL. The doParse(Request $request, string $secret) method signature in both parsers signals the intention to authenticate requests against the configured secret, but the implementation entirely omits that verification step - returning the decoded payload regardless of whether any credentials are present or correct. This maps directly to CWE-287 (Improper Authentication): a security-relevant function advertises an authentication mechanism that is never actually enforced. The LOX24 bridge was introduced in Symfony 7.1 and uses an X-LOX24-Token header; the Mailjet bridge uses HTTP Basic credentials embedded in the webhook URL. Both fixes use hash_equals() for constant-time comparison, preventing timing-based secret enumeration.

RemediationAI

Upgrade to the fixed versions as identified in the GitHub Security Advisory: symfony/lox24-notifier to 7.4.12 or 8.0.12; symfony/symfony to 6.4.40 or 7.4.12. The Mailjet fix commit (https://github.com/symfony/symfony/commit/3e52bf5ab733ee32e35eeeeb2631d859c941838e) targets branch 6.4, and the LOX24 fix commit (https://github.com/symfony/symfony/commit/4aaa45dd054f73445f1ab254968b7e60b546cc77) targets branch 7.4. Run composer update symfony/symfony symfony/mailjet-mailer symfony/lox24-notifier and confirm the installed version meets the fixed thresholds. If an immediate upgrade is not possible, a compensating control is to place the webhook endpoint behind a network-level or reverse-proxy rule that restricts POST access to the known source IP ranges published by Mailjet and LOX24 - this reduces exposure but introduces operational risk if provider IP ranges change. Alternatively, a WAF rule requiring the X-LOX24-Token header or Authorization: Basic header on webhook routes adds a shallow layer of defense, though it duplicates logic that should live in the application. Neither workaround is a substitute for patching.

Share

CVE-2026-45754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy