Webhook Secret Verification Flaw in Symfony Mailer and Notifier Bridges
CVE-2026-45754

6.9MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45754?

The Symfony framework, widely used for web and console applications, contains a vulnerability affecting the Mailjet mailer and LOX24 notifier bridges. Versions prior to 6.4.40, 7.4.12, and 8.0.12 inadequately verify webhook secrets upon receiving configured secrets, enabling attackers to send unauthenticated POST requests. This oversight allows for the injection of forged event payloads, potentially compromising application integrity. Users are advised to upgrade to the latest patched versions to mitigate this issue.

Affected Version(s)

lox24-notifier >= 7.1.0-BETA1, < 7.4.12 < 7.1.0-BETA1, 7.4.12

lox24-notifier >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

mailjet-mailer >= 6.4.0, < 6.4.40 < 6.4.0, 6.4.40

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.