{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/symfony/security-http--8.0.0-beta1--8.0.12/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["symfony/security-http \u003c 5.4.52","symfony/security-http \u003e= 6.0.0-BETA1, \u003c 6.4.40","symfony/security-http \u003e= 7.0.0-BETA1, \u003c 7.4.12","symfony/security-http \u003e= 8.0.0-BETA1, \u003c 8.0.12","symfony/symfony \u003c 5.4.52","symfony/symfony \u003e= 6.0.0-BETA1, \u003c 6.4.40","symfony/symfony \u003e= 7.0.0-BETA1, \u003c 7.4.12","symfony/symfony \u003e= 8.0.0-BETA1, \u003c 8.0.12"],"_cs_severities":["high"],"_cs_tags":["symfony","authentication bypass","identity spoofing","CVE-2026-45063"],"_cs_type":"advisory","_cs_vendors":["Symfony"],"content_html":"\u003cp\u003eThe \u003ccode\u003eX509Authenticator\u003c/code\u003e in Symfony versions before 5.4.52, versions between 6.0.0-BETA1 and 6.4.40, versions between 7.0.0-BETA1 and 7.4.12, and versions between 8.0.0-BETA1 and 8.0.12 is susceptible to an identity spoofing vulnerability (CVE-2026-45063). This flaw stems from the use of an unanchored regex when extracting the user identifier from the Subject DN of a client certificate. The \u003ccode\u003eX509Authenticator\u003c/code\u003e implements client-certificate (mTLS) authentication, where the web server validates the client\u0026rsquo;s certificate and then passes the certificate\u0026rsquo;s Subject DN to Symfony via \u003ccode\u003e$_SERVER['SSL_CLIENT_S_DN']\u003c/code\u003e. An attacker who can obtain a certificate from a trusted CA can exploit this vulnerability by embedding a crafted \u003ccode\u003eemailAddress=victim@target\u003c/code\u003e string within the \u003ccode\u003eCN\u003c/code\u003e value of the certificate. This allows the attacker to bypass authentication and impersonate the victim user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a certificate from a trusted Certificate Authority (CA).\u003c/li\u003e\n\u003cli\u003eWhen requesting the certificate, the attacker sets the Common Name (CN) field to include a malicious string like \u003ccode\u003eCN=Attacker emailAddress=victim@example.com,O=AttackerOrg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the certificate to a Symfony application configured to use \u003ccode\u003eX509Authenticator\u003c/code\u003e for authentication.\u003c/li\u003e\n\u003cli\u003eThe web server validates the certificate against the trusted CA.\u003c/li\u003e\n\u003cli\u003eThe web server passes the certificate\u0026rsquo;s Subject DN to Symfony via the \u003ccode\u003e$_SERVER['SSL_CLIENT_S_DN']\u003c/code\u003e variable.\u003c/li\u003e\n\u003cli\u003eSymfony\u0026rsquo;s \u003ccode\u003eX509Authenticator\u003c/code\u003e extracts the user identifier using an unanchored regex.\u003c/li\u003e\n\u003cli\u003eDue to the unanchored regex, the authenticator incorrectly identifies \u003ccode\u003evictim@example.com\u003c/code\u003e as the user\u0026rsquo;s email address from the CN.\u003c/li\u003e\n\u003cli\u003eThe attacker is authenticated as \u003ccode\u003evictim@example.com\u003c/code\u003e, gaining unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to impersonate legitimate users on affected Symfony applications. This could lead to unauthorized access to sensitive data, modification of user accounts, or other malicious activities depending on the permissions and roles assigned to the compromised user account. The vulnerability impacts applications using client certificate authentication with the flawed \u003ccode\u003eX509Authenticator\u003c/code\u003e component.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003esymfony/security-http\u003c/code\u003e and \u003ccode\u003esymfony/symfony\u003c/code\u003e to the latest patched versions (\u0026gt;= 5.4.52, \u0026gt;= 6.4.40, \u0026gt;= 7.4.12, \u0026gt;= 8.0.12) as provided by the vendor to remediate CVE-2026-45063.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Symfony X509Authenticator Authentication Bypass\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for requests with manipulated SSL_CLIENT_S_DN values.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing a temporary workaround by sanitizing the \u003ccode\u003e$_SERVER['SSL_CLIENT_S_DN']\u003c/code\u003e value before it is processed by the \u003ccode\u003eX509Authenticator\u003c/code\u003e to prevent exploitation of the unanchored regex.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T16:52:25Z","date_published":"2026-05-27T16:52:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-symfony-x509-auth-bypass/","summary":"Symfony's X509Authenticator is vulnerable to identity spoofing due to an unanchored regex in the extraction of the user identifier from the Subject DN of client certificates, allowing attackers to authenticate as other users by crafting a certificate with a malicious CN value.","title":"Symfony X509Authenticator Identity Spoofing Vulnerability (CVE-2026-45063)","url":"https://feed.craftedsignal.io/briefs/2026-05-symfony-x509-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Symfony/Security-Http \u003e= 8.0.0-BETA1, \u003c 8.0.12","version":"https://jsonfeed.org/version/1.1"}