Symfony Mailomat Mailer CVE-2026-48747
MEDIUM
GHSA-rrj9-5q2j-4gvr
Severity by source
Network-reachable public webhook endpoint (AV:N, PR:N), but forging a signature without the secret requires advanced cryptanalytic capability against a weak primitive (AC:H); impact is integrity-only with no confidentiality or availability effect.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Description
Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature() parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hash_hmac() when verifying the request against the configured webhook secret. The request therefore selects the HMAC primitive used to authenticate it.
PHP's hash_hmac() enforces only that the chosen algorithm is HMAC-compatible. That set still includes primitives with known cryptanalysis (md4, md5, ripemd128, tiger128,3, … - e.g. existential forgery of HMAC-MD4, Contini & Yin, ASIACRYPT 2006). This is the canonical algorithm-confusion shape, analogous to JWT alg=none / alg=HS256 downgrades: any future cryptographic weakness in any HMAC primitive PHP exposes becomes immediately exploitable against a Mailomat webhook receiver, the moment an attacker is in a position to compute a signature for that primitive, without a code change on the Symfony side.
Mailomat's documented webhook security pins SHA-256; the parser did not.
Resolution
MailomatRequestParser::validateSignature() now requires the signature header to be of the form sha256=<hex> and verifies the signature with HMAC-SHA256 keyed by the configured secret using a constant-time comparison. Any other algorithm declared on the wire (including the HMAC primitives PHP would otherwise accept) is rejected.
The patch for this issue is available here for branch 7.4 (and forward-ported to 8.0 and 8.1).
Credits
Symfony would like to thank Omar Alshammari, Essam Alanazi and Alwaleed Alshammari for reporting the issue and Nicolas Grekas for providing the fix.
AnalysisAI
Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can send HTTP POST requests to the Symfony application's Mailomat webhook route - a network-accessible endpoint configured to receive Mailomat callbacks, typically with no authentication gatekeeping (webhook receivers are public by design). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score is present in the input data; all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a Symfony application's Mailomat webhook endpoint crafts a malicious POST payload simulating a fraudulent email delivery event, then computes its HMAC using the HMAC-MD4 forgery technique (Contini & Yin, ASIACRYPT 2006) without knowledge of the webhook secret. The attacker sets the X-MOM-Webhook-Signature header to md4=<forged_value>; the unpatched validateSignature() method accepts the attacker-supplied algorithm, calls hash_hmac('md4', ..., $secret), and the constant-time comparison passes against the forged value. … |
| Remediation | Upgrade symfony/mailomat-mailer (or symfony/symfony) to version 7.4.13 or later on the 7.x line, or to 8.0.13 or later on the 8.x line; these are the vendor-confirmed fixed versions per GHSA-rrj9-5q2j-4gvr. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuild
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si
Share
External POC / Exploit Code
Leaving vuln.today