GHSA-29fc-p6c4-24cg

Source

https://github.com/advisories/GHSA-29fc-p6c4-24cg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-29fc-p6c4-24cg

Aliases

CVE-2026-45069

Published

2026-05-27T21:03:36Z

Modified

2026-05-27T21:15:09.524708260Z

Severity

4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Details

Description

OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager.

OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are present in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits aud, iss, and exp therefore passes verification.

Resolution

The OidcTokenHandler now calls the ClaimCheckerManager with the list of mandatory claims so that tokens missing aud, iss, or exp are rejected.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-345",
        "CWE-1287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T21:03:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

Packagist

symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.4.40

Affected versions

v6.*

v6.3.0

v6.3.1

v6.3.2

v6.3.4

v6.3.5

v6.3.6

v6.3.8

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA3

v6.4.0-RC1

v6.4.0-RC2

v6.4.0

v6.4.3

v6.4.4

v6.4.7

v6.4.8

v6.4.9

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.18

v6.4.19

v6.4.21

v6.4.22

v6.4.23

v6.4.24

v6.4.25

v6.4.26

v6.4.30

v6.4.31

v6.4.34

v6.4.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"

symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.4.12

Affected versions

v7.*

v7.4.0

v7.4.1

v7.4.3

v7.4.4

v7.4.6

v7.4.8

v7.4.9

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"

symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.3

v8.0.4

v8.0.6

v8.0.8

v8.0.9

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.4.40

Affected versions

v6.*

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.3.10

v6.3.11

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-BETA3

v6.4.0-RC1

v6.4.0-RC2

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.17

v6.4.18

v6.4.19

v6.4.20

v6.4.21

v6.4.22

v6.4.23

v6.4.24

v6.4.25

v6.4.26

v6.4.27

v6.4.28

v6.4.29

v6.4.30

v6.4.31

v6.4.32

v6.4.33

v6.4.34

v6.4.35

v6.4.36

v6.4.37

v6.4.38

v6.4.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.4.12

Affected versions

v7.*

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-29fc-p6c4-24cg/GHSA-29fc-p6c4-24cg.json"