Incorrect authorization in Symfony - CVE-2026-45075
Published: May 21, 2026
Vulnerability identifier: #VU132067
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45075
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SensioLabs
Affected software:
Symfony
Symfony
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks and trigger unintended controller actions.
The vulnerability exists due to improper access control in #[IsGranted], #[IsSignatureValid], and #[IsCsrfTokenValid] attribute method filtering when handling HEAD requests for controllers restricted to GET. A remote attacker can send a HEAD request to bypass authorization checks and trigger unintended controller actions.
Although the response body is not returned for HEAD requests, response headers may still be disclosed and controller side effects may still occur.
How to mitigate CVE-2026-45075
Install security update from vendor's website.