CVE-2026-45073

Description

### Description `Symfony\Component\Cache\Adapter\PdoAdapter` is the PDO-backed cache adapter. Its `clear($prefix)` method (inherited from `AbstractAdapterTrait`) is documented to delete cache items whose key starts with `$prefix`. In the non-versioning code path, the caller-supplied `$prefix` is concatenated into `$namespace = $this->namespace.$prefix` and passed to `PdoAdapter::doClear()`, which builds: ```sql DELETE FROM <table> WHERE <id_col> LIKE '<namespace>%' ``` The value is interpolated directly into the SQL text and executed with `PDO::exec()`: `$namespace` is not bound. A caller able to influence `$prefix` can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics. Most applications don't expose `clear($prefix)` to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself. ### Resolution `AbstractAdapterTrait::clear()` now rejects any `$prefix` containing characters outside `[-+.A-Za-z0-9]`: when an invalid prefix is supplied, the method logs a warning and returns `false` instead of reaching the SQL layer. This blocks quotes, `%`, null bytes and other characters that would let an attacker break out of the `LIKE` literal. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/ec50b799d79ebe24561f29351c1efcb6da95c9b1) for branch 5.4. ### Credits Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.

How to fix CVE-2026-45073

To remediate CVE-2026-45073, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 5.4.52 or later
• —upgrade to 5.4.52 or later

Is CVE-2026-45073 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45073.

Affected packages (3)

• from 0
• from 0, < 5.4.52
• from 0, < 5.4.52

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-45073
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2026-45073.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45073.yaml