CVE-2026-45075

Description

### Description Symfony's `#[IsGranted('...')]`, `#[IsSignatureValid]`, and `#[IsCsrfTokenValid(...)]` attributes allow you to define a `methods: [...]` argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining `methods: ['GET']` would be ignored for a `HEAD` request. On the other hand, Symfony's router (and HTTP semantics generally) serves `HEAD` requests using the `GET` handler. Therefore, a controller protected by e.g. `#[IsGranted('ROLE_ADMIN', methods: ['GET'])]` can be reached via `HEAD` with the authorization check silently skipped. Even if the `HEAD` request won't get any response content, response headers leak (`Content-Length`, `Location`, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur. ### Resolution When adding `GET` in the `methods` option of these attributes, Symfony now also include the `HEAD` method automatically. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838) for branch 7.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.

How to fix CVE-2026-45075

To remediate CVE-2026-45075, upgrade the affected package to a fixed version below.

—upgrade to 7.4.12+dfsg-1 or later
—upgrade to 7.4.12 or later
—upgrade to 7.4.12 or later
—upgrade to 7.4.12 or later

Is CVE-2026-45075 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45075.

Affected packages (4)

from 0, < 7.4.12+dfsg-1
>= 7.4.0, < 7.4.12
>= 7.4.0, < 7.4.12
>= 7.4.0, < 7.4.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U