Method-Specific Attribute Misconfiguration in Symfony PHP Framework
CVE-2026-45075
What is CVE-2026-45075?
The Symfony PHP framework, widely used for web and console applications, exhibits a misconfiguration related to method-scoped attributes 'IsGranted', 'IsSignatureValid', and 'IsCsrfTokenValid'. In versions earlier than 7.4.12 and 8.0.12, these attributes can only be restricted to GET requests. However, since Symfony routes HEAD requests to the GET handler, the attribute checks are bypassed. This oversight potentially allows unauthorized controllers to execute actions and expose headers or perform unintended side effects, leading to possible data leakage. The vulnerability has been addressed in Symfony updates 7.4.12 and 8.0.12.
Affected Version(s)
http-kernel >= 7.4.0-BETA1, < 7.4.12 < 7.4.0-BETA1, 7.4.12
http-kernel >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
security-http >= 7.4.0-BETA1, < 7.4.12 < 7.4.0-BETA1, 7.4.12
