CVE-2026-45069

Description

### Description `OidcTokenHandler` is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the `web-token/jwt-checker` library's `ClaimCheckerManager`. `OidcTokenHandler::verifyClaims()` registers audience (`aud`), issuer (`iss`), and expiry (`exp`) checkers, but never passes the `$mandatoryClaims` argument to `ClaimCheckerManager::check()`. That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply **omits** `aud`, `iss`, and `exp` therefore passes verification. ### Resolution The `OidcTokenHandler` now calls the `ClaimCheckerManager` with the list of mandatory claims so that tokens missing `aud`, `iss`, or `exp` are rejected. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d) for branch 6.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

How to fix CVE-2026-45069

To remediate CVE-2026-45069, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 6.4.40 or later
• —upgrade to 6.4.40 or later

Is CVE-2026-45069 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45069.

Affected packages (3)

• from 0
• >= 6.3.0, < 6.4.40
• >= 6.3.0, < 6.4.40

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-45069
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45069.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45069.yaml