Skip to main content

EUVDEUVD-2026-44374

| CVE-2026-48489 HIGH
Incorrect Authorization (CWE-863)
2026-06-15 https://github.com/symfony/symfony GHSA-6h46-9jf5-q59x
8.7
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but requires non-default failure_forward:true config and a useful GET route behind access_control, so AC:H; bypass crosses firewall scope (S:C); read-only impact gives C:H, I:N, A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 20:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 20:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
Jun 15, 2026 - 17:54 vuln.today
Analysis Generated
Jun 15, 2026 - 17:54 vuln.today

DescriptionCVE.org

Description

When a firewall is configured with form-login (or any authenticator using DefaultAuthenticationFailureHandler) and the failure_forward: true option, the handler reads the _failure_path parameter from the failing login request and uses it as the path of an internal subrequest dispatched through HttpKernelInterface::SUB_REQUEST.

Symfony's Firewall::onKernelRequest listener intentionally skips subrequests under the assumption they are internally generated and trusted, which also means AccessListener (the listener that evaluates access_control) does not run. Because the attacker controls the target of the subrequest, an unauthenticated POST to the check path with _failure_path=/admin/whatever performs a local request forgery that executes the target controller outside the firewall perimeter and returns its response to the caller.

Applications that follow Symfony's recommended best practice of protecting administrative areas with broad access_control rules (e.g. ^/admin requires ROLE_ADMIN) and expose read-only GET endpoints under that area (data exports, internal APIs, account views) are fully exposed: any such GET route can be read by an unauthenticated attacker without any developer misconfiguration, debug mode, or state-changing GET handler being required.

Resolution

DefaultAuthenticationFailureHandler no longer honors the request-supplied _failure_path parameter when failure_forward is enabled. The subrequest is always dispatched to the configured failure_path option (defaulting to login_path), which is set by the application owner and not by the request. The redirect branch (failure_forward: false) is unchanged because redirects re-enter the firewall on the next request and are not subject to this bypass.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Nguyen Ngoc Toan Thang (@a-tt-om) and Tran Quoc Tri Trung (@teebow1e) for reporting the issue, and Nicolas Grekas for providing the fix.

AnalysisAI

Authorization bypass in Symfony's Security component (symfony/security-http) lets unauthenticated attackers reach access_control-protected GET routes by abusing the DefaultAuthenticationFailureHandler. When a firewall uses form-login (or any authenticator on that handler) with failure_forward: true, an attacker-supplied _failure_path parameter is dispatched as a trusted internal SUB_REQUEST that skips the Firewall/AccessListener perimeter, exposing protected read endpoints such as data exports and internal APIs. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; CVSS 4.0 base is 8.7 (High) reflecting high confidentiality impact with no auth required, though it depends on the non-default failure_forward configuration.

Share

EUVD-2026-44374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy