CVE-2026-49208 in Symfony
Summary
by MITRE • 07/17/2026
Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a #[LiveProp] is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value), allowing client-supplied relative strings such as now, tomorrow, or +10 years to move a writable, format-less date prop past time-based business logic checks. This issue is fixed in versions 2.36.0 and 3.1.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability exists within Symfony UX LiveComponent's hydration mechanism where DateTimeInterface properties are improperly handled when no explicit format is configured. This flaw affects versions from 2.8.0 through 2.36.0 and 3.1.0, creating a path for remote code execution through client-side manipulation of date values.
When a #[LiveProp] is declared as DateTimeInterface without specifying a format, the LiveComponentHydrator::hydrateObjectValue() method defaults to instantiating the class directly with client-provided string values. This direct instantiation bypasses normal validation and business logic constraints that would typically prevent manipulation of temporal data. The vulnerability specifically allows attackers to inject relative date strings such as "now", "tomorrow", or "+10 years" which are interpreted by PHP's DateTime constructor, effectively enabling time-based manipulation outside of expected application boundaries.
The technical flaw stems from a lack of input sanitization and validation in the hydration process, where client-supplied data is directly passed to PHP's DateTime constructors without proper filtering. This represents a classic case of insufficient input validation and improper handling of user-provided temporal data, aligning with CWE-20 - Improper Input Validation and CWE-707 - Improper Neutralization of Special Elements used in a Command. The vulnerability enables attackers to manipulate date values beyond normal business logic constraints, potentially allowing unauthorized access to future-dated resources or bypassing time-based restrictions.
The operational impact is significant as this vulnerability allows remote attackers to manipulate temporal data within live components, potentially enabling privilege escalation, data manipulation, or bypass of time-based security controls. Attackers could exploit this to advance dates beyond normal operational limits, affecting scheduling systems, access controls, or any component relying on proper temporal boundaries. The issue specifically impacts applications using Symfony UX LiveComponent's LiveProp functionality where DateTimeInterface properties are used without explicit format configuration.
Mitigation strategies include upgrading to versions 2.36.0 or 3.1.0 where the vulnerability has been patched, implementing explicit format configuration for all DateTimeInterface properties within LiveProps, and adding input validation layers that sanitize temporal data before hydration. Organizations should also consider implementing additional business logic checks around temporal data manipulation, ensuring that all date/time values are validated against expected ranges and business rules. The ATT&CK framework categorizes this as a privilege escalation technique through command execution with improper input handling, while the fix addresses the core issue of insufficient input validation in web applications.