CVE-2026-49215: symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted
When using symfony/ux-live-component, methods annotated with #[LiveAction] are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gated these invocations on the presence of Accept: application/vnd.live-component+html, with a code comment stating that this acted as a CSRF protection.
The Accept header is a CORS-safelisted request header, so a cross-origin fetch() can set it without triggering a preflight. The header therefore provided no CSRF protection. Any #[LiveAction] could be forged cross-origin against a victim’s session.
In practice the attack is mitigated by SameSite=Lax session cookies (Symfony’s default), but applications using SameSite=None, credentials: 'include' with a permissive cookie policy, or that have been pivoted from another same-origin vector remained exposed.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49215.yaml
- github.com/advisories/GHSA-4m4j-hmqq-3gxm
- github.com/symfony/ux/commit/aed7493db2b4b7bf1f9c79b33cda544f06904b27
- github.com/symfony/ux/security/advisories/GHSA-4m4j-hmqq-3gxm
- nvd.nist.gov/vuln/detail/CVE-2026-49215
Code Behaviors & Features
Detect and mitigate CVE-2026-49215 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →