Vulnerability in Symfony PHP Framework for Web and Console Applications
CVE-2026-45069
8.8HIGH
What is CVE-2026-45069?
Prior to the latest releases, the Symfony PHP framework had a vulnerability where the OidcTokenHandler::verifyClaims() method failed to enforce the mandatory claims list during JSON Web Token (JWT) verification. As a result, a validly signed JWT could pass verification even if essential claims, such as audience (aud), issuer (iss), and expiry (exp), were omitted. This flaw could be exploited to bypass security checks, enabling unauthorized access to resources. The issue is resolved in versions 6.4.40, 7.4.12, and 8.0.12, where the necessary claims are now effectively validated.
Affected Version(s)
security-http >= 6.3.0, < 6.4.40 < 6.3.0, 6.4.40
security-http >= 7.4.0, < 7.4.12 < 7.4.0, 7.4.12
security-http >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
