CVE-2026-45063: Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
X509Authenticator implements client-certificate (mTLS) authentication: the web server validates the client’s certificate against a trusted CA, then passes the certificate’s Subject DN (Distinguished Name: a string like CN=Alice,O=Example,emailAddress=alice@example.com) to Symfony via $_SERVER['SSL_CLIENT_S_DN']. Symfony extracts the user identifier from that string.
The extraction uses an unanchored regex that matches emailAddress= anywhere in the DN string: including inside the value of a different RDN (Relative Distinguished Name: one key=value component of the DN), such as CN. An attacker who can obtain a certificate from a trusted CA with a free-text CN can smuggle emailAddress=victim@target inside the CN value and be authenticated as the victim.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45063.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45063.yaml
- github.com/advisories/GHSA-ph86-p8f6-f9r2
- github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478
- github.com/symfony/symfony/security/advisories/GHSA-ph86-p8f6-f9r2
- nvd.nist.gov/vuln/detail/CVE-2026-45063
- symfony.com/cve-2026-45063
Code Behaviors & Features
Detect and mitigate CVE-2026-45063 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →