CVE-2026-47767 in Symfony
Summary
by MITRE • 07/14/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability CVE-2024-50340 represents a critical runtime argument parsing flaw within the Symfony PHP framework that affects multiple versions including 5.4.46 through 5.4.52, 6.4.40, 7.4.12, and 8.0.12. This issue stems from an inconsistent handling of command-line arguments between different PHP server APIs and parsing mechanisms, creating a potential security bypass scenario. The vulnerability specifically targets the framework's approach to validating runtime arguments when the application is executed in a web context where traditional GET parameter parsing might not align with command-line argument processing.
The technical flaw manifests when Symfony attempts to gate runtime argument parsing by checking if $_GET is empty as a security measure. However, this validation proves insufficient because parse_str() function and the web SAPI (Server API) can produce different results when processing the same input. An attacker can craft a specially designed query string that successfully leaves the $_GET superglobal empty while simultaneously populating the $_SERVER['argv'] array with malicious command-line style arguments such as --env or --no-debug flags. This discrepancy allows attackers to manipulate application environment variables and debug settings without proper authorization, potentially leading to information disclosure or privilege escalation.
The operational impact of this vulnerability extends beyond simple argument manipulation, as it can enable attackers to influence critical application behavior through environment variable modification. When APP_ENV is altered, it can change the application's operational mode, potentially switching from production to development settings that expose sensitive debugging information, disable security measures, or modify logging behavior. Similarly, manipulating APP_DEBUG through the --no-debug flag can prevent proper error handling and security configurations that are typically active in debug mode but disabled in production environments. This creates a pathway for attackers to bypass security controls that depend on these environment variables.
The fix implemented in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12 addresses this inconsistency by ensuring more robust argument parsing validation across different PHP execution contexts. This remediation aligns with security best practices outlined in CWE-213, which deals with Information Exposure Through Inconsistent Interpretation of Input, and follows the principle of least privilege by preventing unauthorized modification of critical application parameters. The solution likely involves strengthening the validation logic to ensure that argument parsing consistency is maintained regardless of whether the application is invoked through web requests or command-line interfaces. This vulnerability demonstrates the importance of maintaining consistent input handling across different execution contexts and highlights the need for comprehensive security testing that considers all potential attack vectors within a framework's architecture, particularly those involving parameter injection and environment manipulation.
Organizations using affected Symfony versions should prioritize immediate patching to address this vulnerability, as it represents a significant risk to application security. The issue also underscores the importance of following ATT&CK framework considerations related to privilege escalation and defense evasion techniques that attackers might employ when exploiting such inconsistencies in web application frameworks. This vulnerability serves as a reminder that even seemingly minor implementation details in parameter parsing can have substantial security implications when they create inconsistencies between different execution contexts within the same application environment.