X509Authenticator Vulnerability in Symfony PHP Framework Affecting Multiple Versions
CVE-2026-45063
9.1CRITICAL
What is CVE-2026-45063?
A vulnerability exists within Symfony's X509Authenticator that allows attackers to exploit an unanchored regular expression when extracting user identifiers from SSL certificate data. Attackers can use a trusted certificate containing an email address embedded in another distinguished name (RDN), such as Common Name (CN), to authenticate as an unsuspecting victim. This flaw affects various versions of Symfony prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12. All users are strongly advised to upgrade to secure versions to mitigate this security risk.
Affected Version(s)
symfony < 5.4.52 < 5.4.52
symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
