CVE-2026-54736

Source
https://cve.org/CVERecord?id=CVE-2026-54736
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54736.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54736
Aliases
  • GHSA-8jqh-95g6-7jpj
Published
2026-07-10T21:02:53.873Z
Modified
2026-07-15T01:48:56.491617479Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)
Details

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-208",
        "CWE-347"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54736.json"
}
References

Affected packages

Git / github.com/phalcon/cphalcon

Affected ranges

Type
GIT
Repo
https://github.com/phalcon/cphalcon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.14.1"
        }
    ]
}

Affected versions

5.*
5.0.0alpha3
5.12.0
phalcon-v0.*
phalcon-v0.7.0
phalcon-v0.9.0
phalcon-v1.*
phalcon-v1.0.0
phalcon-v1.0.1
phalcon-v1.1.0
phalcon-v1.2.0
phalcon-v1.3.0
phalcon-v1.3.1
phalcon-v1.3.2
phalcon-v1.3.3
phalcon-v1.3.4
phalcon-v2.*
phalcon-v2.0.0
phalcon-v2.0.1
phalcon-v2.0.10
phalcon-v2.0.11
phalcon-v2.0.13
phalcon-v2.0.2
phalcon-v2.0.3
phalcon-v2.0.4
phalcon-v2.0.5
phalcon-v2.0.6
phalcon-v2.0.7
phalcon-v2.0.8
phalcon-v2.0.9
v0.*
v0.7.0
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.2.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v4.*
v4.0.0
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.1.0
v5.*
v5.0.0
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0RC4
v5.0.0alpha3
v5.0.0alpha4
v5.0.0alpha5
v5.0.0alpha6
v5.0.0alpha7
v5.0.0beta1
v5.0.0beta2
v5.0.0beta3
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.10.0
v5.11.0
v5.11.1
v5.12.1
v5.13.0
v5.14.0
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.7.0
v5.8.0
v5.9.0
v5.9.1
v5.9.2
v5.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54736.json"