Skip to main content

EUVDEUVD-2026-44357

| CVE-2026-45069 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-27 https://github.com/symfony/symfony GHSA-29fc-p6c4-24cg
8.8
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-reachable with no target authentication needed (PR:N), but a validly-signed token is required, so impact is impersonation of one identity (C:H, I:L, A:N) and AC:L once such a token is held.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 19:46 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 14, 2026 - 19:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 19:22 NVD
8.8 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:27 vuln.today
Analysis Generated
May 27, 2026 - 22:27 vuln.today

DescriptionCVE.org

Description

OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager.

OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits aud, iss, and exp therefore passes verification.

Resolution

The OidcTokenHandler now calls the ClaimCheckerManager with the list of mandatory claims so that tokens missing aud, iss, or exp are rejected.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

Authentication/claim-validation bypass in Symfony's OidcTokenHandler (symfony/security-http 6.3.0–6.4.39, 7.4.0–7.4.11, 8.0.0–8.0.11) lets a validly-signed JWT that simply omits the aud, iss, and exp claims pass verification, because the handler never marks those claims as mandatory. Attackers holding such a token can be authenticated as a valid identity — for example a token issued for a different audience or one that should have expired is accepted. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile).

Share

EUVD-2026-44357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy