CVE-2026-45073: Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
Symfony\Component\Cache\Adapter\PdoAdapter is the PDO-backed cache adapter. Its clear($prefix) method (inherited from AbstractAdapterTrait) is documented to delete cache items whose key starts with $prefix.
In the non-versioning code path, the caller-supplied $prefix is concatenated into $namespace = $this->namespace.$prefix and passed to PdoAdapter::doClear(), which builds:
DELETE FROM <table> WHERE <id_col> LIKE '<namespace>%'
The value is interpolated directly into the SQL text and executed with PDO::exec(): $namespace is not bound. A caller able to influence $prefix can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics.
Most applications don’t expose clear($prefix) to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/cache/CVE-2026-45073.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45073.yaml
- github.com/advisories/GHSA-6qh9-h6wf-jgqc
- github.com/symfony/symfony/commit/ec50b799d79ebe24561f29351c1efcb6da95c9b
- github.com/symfony/symfony/security/advisories/GHSA-6qh9-h6wf-jgqc
- nvd.nist.gov/vuln/detail/CVE-2026-45073
- symfony.com/cve-2026-45073
Code Behaviors & Features
Detect and mitigate CVE-2026-45073 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →