GHSA-ph86-p8f6-f9r2
Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
Details
### Description
`X509Authenticator` implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like `CN=Alice,O=Example,emailAddress=alice@example.com`) to Symfony via `$_SERVER['SSL_CLIENT_S_DN']`. Symfony extracts the user identifier from that string.
The extraction uses an **unanchored** regex that matches `emailAddress=` anywhere in the DN string: including inside the *value* of a different RDN (Relative Distinguished Name: one `key=value` component of the DN), such as `CN`. An attacker who can obtain a certificate from a trusted CA with a free-text `CN` can smuggle `emailAddress=victim@target` inside the CN value and be authenticated as the victim.
### Resolution
The `X509Authenticator` now uses a regex that anchors the match to an RDN boundary (start of string, or following a `,` / `/` separator).
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478) for branch 5.4.
### Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/security-http:^5.4.52 6.0.0-BETA1 Fixed in: 6.4.40 composer require symfony/security-http:^6.4.40 7.0.0-BETA1 Fixed in: 7.4.12 composer require symfony/security-http:^7.4.12 8.0.0-BETA1 Fixed in: 8.0.12 composer require symfony/security-http:^8.0.12 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0-BETA1 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0-BETA1 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0-BETA1 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-ph86-p8f6-f9r2 [WEB]
- https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45063.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45063.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45063 [WEB]