HMAC Header Handling Flaw in Symfony PHP Framework
CVE-2026-47212

6.9MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-47212?

The Symfony PHP framework, which supports web and console applications, has a vulnerability in the TwilioRequestParser::doParse() function. This flaw, present in versions prior to 6.4.40, 7.4.12, and 8.0.12, allows unauthenticated POST requests to bypass authentication by ignoring the crucial X-Twilio-Signature HMAC header. As a result, attackers can inject forged Twilio status payloads, posing significant risks to application integrity. Update your Symfony installation to the patched versions to mitigate this vulnerability.

Affected Version(s)

symfony >= 6.4.0, < 6.4.40 < 6.4.0, 6.4.40

symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

symfony >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.