X509Authenticator Vulnerability in Symfony PHP Framework Affecting Multiple Versions
CVE-2026-45063

9.1CRITICAL

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-45063?

A vulnerability exists within Symfony's X509Authenticator that allows attackers to exploit an unanchored regular expression when extracting user identifiers from SSL certificate data. Attackers can use a trusted certificate containing an email address embedded in another distinguished name (RDN), such as Common Name (CN), to authenticate as an unsuspecting victim. This flaw affects various versions of Symfony prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12. All users are strongly advised to upgrade to secure versions to mitigate this security risk.

Affected Version(s)

symfony < 5.4.52 < 5.4.52

symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.