Skip to main content

Symfony EUVDEUVD-2026-44338

| CVE-2026-45074 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-05-27 https://github.com/symfony/symfony GHSA-j8gj-9rm5-4xhx
7.6
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable and unauthenticated to the target (AV:N/PR:N), but AC:H and UI:R reflect the required control of a co-federated CAS app and capture of a victim's ticket; full account takeover gives C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 18:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 18:22 NVD
7.6 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:31 vuln.today
Analysis Generated
May 27, 2026 - 22:31 vuln.today

DescriptionCVE.org

Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trusted_hosts setting is not configured (the default). An attacker who controls any *other* application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.

Resolution

A new required service_url configuration option is introduced on Cas2Handler. The CAS service parameter sent to the validation endpoint is now built from this configured URL instead of being derived from the request's Host header, preventing cross-service ticket replay via Host header spoofing.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.

AnalysisAI

Authentication bypass in Symfony's Security-Http CAS2 integration (Cas2Handler) lets an attacker impersonate a victim by spoofing the HTTP Host header. Affected versions 7.1.0-7.4.11 and 8.0.0-8.0.11 derive the CAS 'service' parameter from the client-controlled Host header when framework.trusted_hosts is unset (the default), so an attacker who controls another application registered with the same CAS server can replay a victim's service ticket against the Symfony app and log in as that victim. There is no public exploit identified at time of analysis, and EPSS is very low (0.06%), but the fix (7.4.12 / 8.0.12) is vendor-released.

Technical ContextAI

The affected code is the CAS 2.0 protocol handler (Cas2Handler) in the symfony/security-http component, used via the access_token authenticator to validate CAS service tickets against a central CAS server. In CAS, the client-side application tells the CAS server which 'service' (callback URL) a ticket was issued for, and the CAS server only validates a ticket for the matching service. The flaw is CWE-290 (Authentication Bypass by Spoofing): Cas2Handler built that 'service' value from Request::getSchemeAndHttpHost(), which trusts the incoming HTTP Host header unless Symfony's framework.trusted_hosts allow-list is configured - and it is empty by default. Because the service URL is attacker-influenced rather than pinned to the application's real identity, ticket validation can be steered to succeed for a service the attacker actually controls. The fix adds a hard guard that throws a LogicException when no trusted hosts are configured, and introduces a required service_url so the service parameter is no longer derived from the request Host header. CPE data confirms the affected packages are composer/symfony/security-http and the monolithic composer/symfony/symfony.

RemediationAI

Vendor-released patch: upgrade symfony/security-http (or symfony/symfony) to 7.4.12 or 8.0.12 via Composer, per releases https://github.com/symfony/symfony/releases/tag/v7.4.12 and https://github.com/symfony/symfony/releases/tag/v8.0.12 and commit 5ba145dba702404801bdf9e7e8d6df170060d541. The most important compensating control, applicable even before upgrading, is to configure framework.trusted_hosts with a strict regex allow-list of your application's real hostname(s) (e.g. trusted_hosts: ['^app\.example$']); this makes Symfony reject spoofed Host headers with a SuspiciousOperationException and is the same mechanism the patched code now enforces - the trade-off is that you must enumerate every legitimate host/domain your app answers on or legitimate requests will be rejected. After upgrading, adopt the new required service_url option on Cas2Handler to pin the CAS service parameter to a fixed, configured URL instead of the request Host. As a network-layer control, ensure the reverse proxy/load balancer overwrites or validates the incoming Host header rather than passing arbitrary client values through to PHP. Advisory URL: https://github.com/symfony/symfony/security/advisories/GHSA-j8gj-9rm5-4xhx.

Share

EUVD-2026-44338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy