CVE-2026-45074: Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony’s framework.trusted_hosts setting is not configured (the default). An attacker who controls any other application registered with the same CAS server can replay a victim’s ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45074.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45074.yaml
- github.com/advisories/GHSA-j8gj-9rm5-4xhx
- github.com/symfony/symfony/commit/5ba145dba702404801bdf9e7e8d6df170060d541
- github.com/symfony/symfony/security/advisories/GHSA-j8gj-9rm5-4xhx
- nvd.nist.gov/vuln/detail/CVE-2026-45074
- symfony.com/cve-2026-45074
Code Behaviors & Features
Detect and mitigate CVE-2026-45074 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →