CVE-2026-45075

Source
https://cve.org/CVERecord?id=CVE-2026-45075
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45075.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45075
Aliases
Downstream
Published
2026-07-14T18:40:37.287Z
Modified
2026-07-16T03:49:19.376021619Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Symfony: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, method-scoped #[IsGranted], #[IsSignatureValid], and #[IsCsrfTokenValid] attributes can be configured for GET only, but Symfony routes HEAD requests to the GET handler while the attribute check is skipped, allowing protected controllers to execute and leak headers or perform side effects. This issue is fixed in versions 7.4.12 and 8.0.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45075.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "7.4.0-BETA1"
        },
        {
            "fixed": "7.4.12"
        },
        {
            "introduced": "8.0.0-BETA1"
        },
        {
            "fixed": "8.0.12"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v7.*
v7.4.0
v7.4.0-BETA1
v7.4.0-BETA2
v7.4.0-RC1
v7.4.0-RC2
v7.4.0-RC3
v7.4.1
v7.4.10
v7.4.11
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.4.6
v7.4.7
v7.4.8
v7.4.9
v8.*
v8.0.0
v8.0.0-BETA1
v8.0.0-BETA2
v8.0.0-RC1
v8.0.0-RC2
v8.0.0-RC3
v8.0.1
v8.0.10
v8.0.11
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45075.json"