HMAC Header Handling Flaw in Symfony PHP Framework
CVE-2026-47212
6.9MEDIUM
What is CVE-2026-47212?
The Symfony PHP framework, which supports web and console applications, has a vulnerability in the TwilioRequestParser::doParse() function. This flaw, present in versions prior to 6.4.40, 7.4.12, and 8.0.12, allows unauthenticated POST requests to bypass authentication by ignoring the crucial X-Twilio-Signature HMAC header. As a result, attackers can inject forged Twilio status payloads, posing significant risks to application integrity. Update your Symfony installation to the patched versions to mitigate this vulnerability.
Affected Version(s)
symfony >= 6.4.0, < 6.4.40 < 6.4.0, 6.4.40
symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
symfony >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
