CVE-2026-49211 in Symfony
Summary
by MITRE • 07/17/2026
Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards (%, _, \), allowing unauthenticated users to turn the public BaseEntityAutocompleteType endpoint into a broad matcher or blind boolean oracle against every column in default searchable_fields. This issue is fixed in versions 2.36.0 and 3.1.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability exists within Symfony UX Autocomplete component, specifically in the Doctrine\EntitySearchUtil::addSearchClause() method where client-supplied input is improperly handled during SQL LIKE expression construction. This flaw affects versions from 2.2.0 through 2.36.0 and 3.1.0, creating a significant security risk that can be exploited by unauthenticated attackers to perform unauthorized database enumeration and inference attacks against the application's autocomplete functionality.
The technical implementation flaw stems from inadequate input sanitization where user-provided search queries are directly incorporated into SQL LIKE patterns without proper escaping of SQL wildcards including percent signs, underscores, and backslashes. When a client submits a search query to the public BaseEntityAutocompleteType endpoint, the system wraps this input with wildcard characters %...% without first escaping any existing wildcards within the user data, creating a dangerous SQL injection vector that can be leveraged for blind boolean-based attacks.
The operational impact of this vulnerability is severe as it transforms a publicly accessible autocomplete endpoint into a broad matcher or blind boolean oracle against all columns defined in the default searchable_fields configuration. Attackers can systematically probe database structures and content by manipulating search parameters to infer information about database schema, table names, column names, and even data values through response timing differences or boolean outcomes from the autocomplete service. This effectively provides unauthorized access to database metadata and potentially sensitive data through indirect means.
This vulnerability aligns with CWE-89 (SQL Injection) and CWE-20 (Improper Input Validation) categories while mapping to ATT&CK technique T1213.002 (Data from Information Repositories) and T1071.004 (Application Layer Protocol: DNS). The attack surface is particularly concerning because it leverages legitimate application functionality to bypass normal access controls, making detection more challenging and exploitation straightforward for adversaries with basic knowledge of SQL injection techniques.
The recommended mitigation involves upgrading to patched versions 2.36.0 or 3.1.0 where proper input escaping has been implemented for SQL LIKE wildcards. Additionally, organizations should implement proper rate limiting on autocomplete endpoints, consider additional authentication requirements for sensitive search operations, and regularly audit application components for similar input validation issues. Security teams should also monitor for unauthorized access patterns and implement database query logging to detect potential exploitation attempts against autocomplete functionality.