Webhook Secret Verification Flaw in Symfony Mailer and Notifier Bridges
CVE-2026-45754
6.9MEDIUM
What is CVE-2026-45754?
The Symfony framework, widely used for web and console applications, contains a vulnerability affecting the Mailjet mailer and LOX24 notifier bridges. Versions prior to 6.4.40, 7.4.12, and 8.0.12 inadequately verify webhook secrets upon receiving configured secrets, enabling attackers to send unauthenticated POST requests. This oversight allows for the injection of forged event payloads, potentially compromising application integrity. Users are advised to upgrade to the latest patched versions to mitigate this issue.
Affected Version(s)
lox24-notifier >= 7.1.0-BETA1, < 7.4.12 < 7.1.0-BETA1, 7.4.12
lox24-notifier >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
mailjet-mailer >= 6.4.0, < 6.4.40 < 6.4.0, 6.4.40
