CVE-2026-45069: Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
OidcTokenHandler is Symfony’s built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library’s ClaimCheckerManager.
OidcTokenHandler::verifyClaims() registers audience (aud), issuer (iss), and expiry (exp) checkers, but never passes the $mandatoryClaims argument to ClaimCheckerManager::check(). That method only validates claims that are present in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits aud, iss, and exp therefore passes verification.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45069.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45069.yaml
- github.com/advisories/GHSA-29fc-p6c4-24cg
- github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d
- github.com/symfony/symfony/security/advisories/GHSA-29fc-p6c4-24cg
- nvd.nist.gov/vuln/detail/CVE-2026-45069
- symfony.com/cve-2026-45069
Code Behaviors & Features
Detect and mitigate CVE-2026-45069 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →