CVE-2026-45069 in Symfony
Summary
by MITRE • 07/14/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, OidcTokenHandler::verifyClaims() registered audience (aud), issuer (iss), and expiry (exp) checkers but did not pass the mandatory claims list to ClaimCheckerManager::check(), so a validly signed JWT that omitted those claims could pass verification. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability exists within the Symfony framework's OpenID Connect token handling mechanism, specifically in the OidcTokenHandler::verifyClaims() method across multiple versions. This flaw represents a critical security oversight that undermines the integrity of JWT verification processes by allowing malicious actors to bypass essential validation checks. The issue stems from a design defect where the system registers audience, issuer, and expiry claim checkers but fails to properly pass the mandatory claims list to the ClaimCheckerManager::check() method during verification operations.
The technical implementation flaw occurs when processing validly signed JSON Web Tokens that intentionally omit the aud, iss, and exp claims. Despite these claims being fundamental to JWT security standards and typically required for proper token validation, the system's incomplete implementation allows such tokens to pass verification successfully. This creates a dangerous scenario where tokens lacking essential security metadata can be accepted as legitimate, potentially enabling unauthorized access or authentication bypass attacks. The vulnerability specifically affects versions prior to 6.4.40, 7.4.12, and 8.0.12 of the Symfony framework, representing a widespread issue across multiple release lines.
From an operational impact perspective, this vulnerability compromises the core security assurances that JWT-based authentication systems are designed to provide. Attackers could exploit this weakness by crafting tokens that omit the required claims while maintaining valid signatures, thereby circumventing critical security controls. The implications extend beyond simple authentication bypasses to potentially enable privilege escalation attacks, session hijacking, and unauthorized system access. This issue directly violates security best practices for token validation and undermines trust in the framework's security posture.
The fix implemented in versions 6.4.40, 7.4.12, and 8.0.12 addresses the root cause by ensuring that the mandatory claims list is properly passed to ClaimCheckerManager::check() during verification operations. This correction restores proper validation of essential JWT claims including audience, issuer, and expiration time, bringing the framework into compliance with established security standards for token processing. Organizations should prioritize updating to these patched versions to eliminate the risk of exploitation.
This vulnerability aligns with CWE-295 which addresses improper certificate validation and related issues in authentication systems. The flaw also relates to ATT&CK technique T1566 which covers credential access through social engineering and authentication bypass methods. The issue demonstrates how seemingly minor implementation oversights in security-critical components can create significant attack vectors. Proper adherence to security standards requires that all mandatory claims be validated during token processing, ensuring that tokens cannot pass verification without containing the essential metadata required for secure authentication operations.