Symfony, Authentication Bypass by Spoofing, CVE-2026-45074 (Moderate) -DC-Jul2026-1031

Listen to this Post

CVE-2026-45074 is a moderate‑severity vulnerability affecting the Symfony PHP framework, specifically the `Cas2Handler` component used for Central Authentication Service (CAS) integration. The flaw arises from how the `Cas2Handler` constructs the CAS `service` parameter during ticket validation. In affected versions, the handler calls `Request::getSchemeAndHttpHost()` to build this parameter. This method reflects the value of the HTTP `Host` header sent by the client, without any validation when Symfony’s `framework.trusted_hosts` setting is not configured (which is the default state).
An attacker who controls any other application that is registered with the same CAS server can exploit this behavior. The attacker first obtains a valid CAS ticket from a legitimate victim user (e.g., by luring the victim to authenticate through the attacker’s own application). The attacker then replays that ticket against the target Symfony application, but this time they spoof the `Host` header to match the target application’s expected hostname. Because the CAS server validates the ticket against the `service` URL provided in the validation request, and that URL is derived from the spoofed `Host` header, the CAS server accepts the ticket as valid for the target service. The Symfony application then unwittingly authenticates the attacker as the victim user, leading to a full account takeover.
The root cause is the lack of a trusted host configuration. Without `framework.trusted_hosts` set, Symfony’s `Request` object does not reject requests with a spoofed `Host` header. The `Cas2Handler` therefore uses an attacker‑controlled value to build the CAS service parameter, enabling cross‑service ticket replay. This is a classic example of a host header injection vulnerability leading to authentication bypass.
The vulnerability affects Symfony versions 7.1.0 through 7.4.11 and 8.0.0 through 8.0.11. It was fixed in versions 7.4.12 and 8.0.12 by introducing a new required `service_url` configuration option for Cas2Handler. The CAS service parameter is now built from this configured URL instead of the request’s `Host` header. Additionally, the fix now enforces that `framework.trusted_hosts` must be configured; otherwise, a `LogicException` is thrown, preventing the vulnerable code path from being reached.
The vulnerability was reported via GitHub’s Advisory Database (GHSA‑j8gj‑9rm5‑4xhx) and credited to Claude Mythos Preview (via Project Glasswing) with the fix provided by Nicolas Grekas. The CVE was published on July 14, 2026, and the patch is available in the official Symfony repository.

DailyCVE Form:

Platform: Symfony
Version: 7.1.0‑7.4.11, 8.0.0‑8.0.11
Vulnerability: Authentication Bypass by Spoofing
Severity: Moderate (CVSS 5.3)
date: 2026‑07‑14

Prediction: Already patched (2026‑07‑14)

What Undercode Say:

Analytics show that this vulnerability is particularly dangerous in environments where multiple applications share a single CAS server. The attack vector is remote and requires no user interaction beyond the victim having a valid CAS session. The following commands and code snippets illustrate the vulnerable and fixed behavior:

Check if framework.trusted_hosts is configured in Symfony
grep -r "trusted_hosts" config/packages/framework.yaml
Verify the current Symfony version
php bin/console --version
List installed symfony/security-http package version
composer show symfony/security-http

Vulnerable code path in `Cas2Handler`:

// Before patch - service URL derived from request Host header
$serviceUrl = Request::getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo();

Fixed code path (with `service_url` configuration):

// After patch - service URL taken from configured value
$serviceUrl = $this->serviceUrl; // configured in security.yaml

Exploit:

An attacker can perform the following steps:

  1. Register a malicious application with the same CAS server as the target Symfony app.
  2. Lure a victim to authenticate through the malicious app, obtaining a valid CAS ticket (e.g., ST-123456-abcde).
  3. Craft an HTTP request to the target Symfony application’s CAS validation endpoint, e.g., `https://target-app.com/login_check`.
  4. Include the victim’s ticket as a parameter and set the `Host` header to the target application’s hostname.
  5. The CAS server validates the ticket against the `service` URL derived from the spoofed `Host` header and accepts it.
  6. The Symfony application establishes a session for the victim user, allowing the attacker to impersonate them.

Example cURL command:

curl -X GET "https://target-app.com/login_check?ticket=ST-123456-abcde" \
-H "Host: target-app.com" \
-H "User-Agent: Mozilla/5.0"

No public exploit code is available, but the attack is trivial to reproduce once the conditions are met.

Protection:

  • Upgrade Symfony to version 7.4.12 or 8.0.12 (or later) immediately.
  • Configure `framework.trusted_hosts` in your `config/packages/framework.yaml` file to restrict allowed `Host` headers:
    framework:
    trusted_hosts: ['^target-app.com$']
    
  • Set the `service_url` option for `Cas2Handler` in your security configuration:
    security:
    firewalls:
    main:
    cas:
    service_url: 'https://target-app.com/login_check'
    
  • If you cannot upgrade immediately, apply the patch from the Symfony repository (commit `5ba145dba702404801bdf9e7e8d6df170060d541` for branch 7.4).
  • Monitor your CAS server logs for any suspicious ticket replay attempts.

Impact:

  • Confidentiality: An attacker can gain access to any victim’s account, potentially exposing sensitive user data.
  • Integrity: The attacker can perform actions on behalf of the victim, including modifying data or performing privileged operations.
  • Availability: While not directly impacting availability, account takeover can lead to denial of service for the legitimate user.
  • Scope: All Symfony applications using CAS authentication with `Cas2Handler` and without `trusted_hosts` configured are vulnerable.
  • Exploitability: The attack is remote, requires low complexity, and no special privileges, making it highly attractive for malicious actors.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top