Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with no target authentication needed (PR:N), but a validly-signed token is required, so impact is impersonation of one identity (C:H, I:L, A:N) and AC:L once such a token is held.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Description
OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager.
OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits aud, iss, and exp therefore passes verification.
Resolution
The OidcTokenHandler now calls the ClaimCheckerManager with the list of mandatory claims so that tokens missing aud, iss, or exp are rejected.
The patch for this issue is available here for branch 6.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
Authentication/claim-validation bypass in Symfony's OidcTokenHandler (symfony/security-http 6.3.0–6.4.39, 7.4.0–7.4.11, 8.0.0–8.0.11) lets a validly-signed JWT that simply omits the aud, iss, and exp claims pass verification, because the handler never marks those claims as mandatory. Attackers holding such a token can be authenticated as a valid identity — for example a token issued for a different audience or one that should have expired is accepted. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44357
GHSA-29fc-p6c4-24cg