CVE-2026-45063

Description

### Description `X509Authenticator` implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like `CN=Alice,O=Example,[email protected]`) to Symfony via `$_SERVER['SSL_CLIENT_S_DN']`. Symfony extracts the user identifier from that string. The extraction uses an **unanchored** regex that matches `emailAddress=` anywhere in the DN string: including inside the *value* of a different RDN (Relative Distinguished Name: one `key=value` component of the DN), such as `CN`. An attacker who can obtain a certificate from a trusted CA with a free-text `CN` can smuggle `emailAddress=victim@target` inside the CN value and be authenticated as the victim. ### Resolution The `X509Authenticator` now uses a regex that anchors the match to an RDN boundary (start of string, or following a `,` / `/` separator). The patch for this issue is available [here](https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478) for branch 5.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Affected packages (3)

• Debian/symfonyfrom 0
• Packagist/symfony/security-httpfrom 0, < 5.4.52
• Packagist/symfony/symfonyfrom 0, < 5.4.52

CVSS scores

References (7)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45063
• PATCHhttps://github.com/symfony/symfony
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45063.yaml
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45063.yaml
• WEBhttps://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478
• WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-ph86-p8f6-f9r2
• WEBhttps://symfony.com/cve-2026-45063