CVE-2026-45074

Description

`Cas2Handler` builds this `service` parameter from `Request::getSchemeAndHttpHost()`, which reflects the attacker-controlled HTTP `Host` header whenever Symfony's `framework.trusted_hosts` setting is not configured (the default). An attacker who controls any *other* application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed `Host` header, and be authenticated as that victim. ### Resolution A new required `service_url` configuration option is introduced on `Cas2Handler`. The CAS `service` parameter sent to the validation endpoint is now built from this configured URL instead of being derived from the request's `Host` header, preventing cross-service ticket replay via Host header spoofing. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5ba145dba702404801bdf9e7e8d6df170060d541) for branch 7.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.

How to fix CVE-2026-45074

To remediate CVE-2026-45074, upgrade the affected package to a fixed version below.

• —upgrade to 7.4.12+dfsg-1 or later
• —upgrade to 7.4.12 or later
• —upgrade to 7.4.12 or later

Is CVE-2026-45074 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45074.

Affected packages (3)

• from 0, < 7.4.12+dfsg-1
• >= 7.1.0, < 7.4.12
• >= 7.1.0, < 7.4.12

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-45074
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45074.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45074.yaml