Skip to main content

EUVDEUVD-2026-44347

| CVE-2026-45063 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-05-27 https://github.com/symfony/symfony GHSA-ph86-p8f6-f9r2
9.1
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 19:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 19:22 NVD
9.1 (CRITICAL)
Source Code Evidence Fetched
May 27, 2026 - 20:31 vuln.today
Analysis Generated
May 27, 2026 - 20:31 vuln.today

DescriptionCVE.org

Description

X509Authenticator implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like CN=Alice,O=Example,emailAddress=alice@example.com) to Symfony via $_SERVER['SSL_CLIENT_S_DN']. Symfony extracts the user identifier from that string.

The extraction uses an unanchored regex that matches emailAddress= anywhere in the DN string: including inside the *value* of a different RDN (Relative Distinguished Name: one key=value component of the DN), such as CN. An attacker who can obtain a certificate from a trusted CA with a free-text CN can smuggle emailAddress=victim@target inside the CN value and be authenticated as the victim.

Resolution

The X509Authenticator now uses a regex that anchors the match to an RDN boundary (start of string, or following a , / / separator).

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Identity spoofing in Symfony's Security-Http component (the X509Authenticator) lets a certificate-based (mTLS) client authenticate as an arbitrary victim user. The extractUsername() routine used an unanchored regex that matched emailAddress= anywhere in the client certificate's Subject DN, so an attacker holding any certificate from a trusted CA with an attacker-controlled free-text CN can smuggle emailAddress=victim@target inside the CN and be logged in as that victim. Rated CVSS 4.0 9.1 (CWE-290) with a low EPSS of 0.05% (17th percentile); no public exploit identified at time of analysis and it is not in CISA KEV, but a vendor patch and regression tests are published.

Share

EUVD-2026-44347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy