Vulnerability in Symfony PHP Framework for Web and Console Applications
CVE-2026-45069

8.8HIGH

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45069?

Prior to the latest releases, the Symfony PHP framework had a vulnerability where the OidcTokenHandler::verifyClaims() method failed to enforce the mandatory claims list during JSON Web Token (JWT) verification. As a result, a validly signed JWT could pass verification even if essential claims, such as audience (aud), issuer (iss), and expiry (exp), were omitted. This flaw could be exploited to bypass security checks, enabling unauthorized access to resources. The issue is resolved in versions 6.4.40, 7.4.12, and 8.0.12, where the necessary claims are now effectively validated.

Affected Version(s)

security-http >= 6.3.0, < 6.4.40 < 6.3.0, 6.4.40

security-http >= 7.4.0, < 7.4.12 < 7.4.0, 7.4.12

security-http >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.