CVE-2026-45063

Description

### Description `X509Authenticator` implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like `CN=Alice,O=Example,emailAddress=alice@example.com`) to Symfony via `$_SERVER['SSL_CLIENT_S_DN']`. Symfony extracts the user identifier from that string. The extraction uses an **unanchored** regex that matches `emailAddress=` anywhere in the DN string: including inside the *value* of a different RDN (Relative Distinguished Name: one `key=value` component of the DN), such as `CN`. An attacker who can obtain a certificate from a trusted CA with a free-text `CN` can smuggle `emailAddress=victim@target` inside the CN value and be authenticated as the victim. ### Resolution The `X509Authenticator` now uses a regex that anchors the match to an RDN boundary (start of string, or following a `,` / `/` separator). The patch for this issue is available [here](https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478) for branch 5.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

How to fix CVE-2026-45063

To remediate CVE-2026-45063, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 5.4.52 or later
• —upgrade to 5.4.52 or later

Is CVE-2026-45063 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45063.

Affected packages (3)

• from 0
• from 0, < 5.4.52
• from 0, < 5.4.52

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-45063
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45063.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45063.yaml