Method-Specific Attribute Misconfiguration in Symfony PHP Framework
CVE-2026-45075

8.3HIGH

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45075?

The Symfony PHP framework, widely used for web and console applications, exhibits a misconfiguration related to method-scoped attributes 'IsGranted', 'IsSignatureValid', and 'IsCsrfTokenValid'. In versions earlier than 7.4.12 and 8.0.12, these attributes can only be restricted to GET requests. However, since Symfony routes HEAD requests to the GET handler, the attribute checks are bypassed. This oversight potentially allows unauthorized controllers to execute actions and expose headers or perform unintended side effects, leading to possible data leakage. The vulnerability has been addressed in Symfony updates 7.4.12 and 8.0.12.

Affected Version(s)

http-kernel >= 7.4.0-BETA1, < 7.4.12 < 7.4.0-BETA1, 7.4.12

http-kernel >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

security-http >= 7.4.0-BETA1, < 7.4.12 < 7.4.0-BETA1, 7.4.12

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.