Listen to this Post
CVE-2026-47767 is a vulnerability in the Symfony PHP framework that allows an unauthenticated attacker to manipulate the application’s environment variables (APP_ENV) and debug mode (APP_DEBUG) via crafted web requests. This issue is a bypass of a previous patch, CVE-2024-50340, which originally addressed the same attack vector but implemented an inadequate fix.
The root cause lies in the SymfonyRuntime component, which is responsible for bootstrapping the application in both CLI and web SAPI (Server API) contexts. To determine if the request is coming from the command line, the runtime checks the `$_GET` superglobal. If `$_GET` is empty, it assumes a CLI invocation and parses `$_SERVER[‘argv’]` to extract command-line arguments like `–env` and --no-debug. However, this assumption is flawed.
The vulnerability exploits a disagreement between two PHP mechanisms: `parse_str()` and the web SAPI’s query string parsing. When `register_argc_argv` is enabled in the PHP configuration (register_argc_argv=On), the web SAPI builds the `$_SERVER[‘argv’]` array directly from the raw query string. Meanwhile, `parse_str()` is used to populate the `$_GET` superglobal. These two parsers do not always interpret the query string identically. An attacker can craft a query string that causes `parse_str()` to produce an empty `$_GET` array, while the SAPI still populates `$_SERVER[‘argv’]` with attacker-controlled values like `–env=dev` or --no-debug.
Because the SymfonyRuntime gates its argv parsing on empty($_GET), it mistakenly treats the web request as a CLI invocation and processes the attacker-supplied flags from $_SERVER['argv']. This effectively restores the exact attack primitive that CVE-2024-50340 was supposed to prevent. The impact is significant: an attacker can switch the application to a different environment (e.g., from `prod` to dev), which may expose sensitive debugging information, alter configuration, or enable insecure settings. Additionally, toggling `APP_DEBUG` can reveal stack traces, database queries, and other internal details.
The vulnerability affects all Symfony applications that use the `symfony/runtime` component, are run under a web SAPI with register_argc_argv=On, and are using vulnerable versions. The fix, implemented in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12, replaces the `empty($_GET)` check with isset($_SERVER['QUERY_STRING']). This ensures that the runtime uses the same input source as the SAPI, eliminating the parsing discrepancy. The vulnerability is classified as medium severity with a CVSS v4 score of 8.3 (High) according to GitHub, Inc., and a CVSS v3 score not yet assigned by NIST.
DailyCVE Form:
Platform: Symfony (PHP)
Version: 5.4.46-5.4.51, 6.4.14-6.4.39, 7.1.7-7.4.11, 8.0.0-8.0.11
Vulnerability: Interpretation Conflict (CWE-436)
Severity: Medium (CVSS v4: 8.3 High)
date: 2026-07-14
Prediction: 2026-07-21 (within 7 days)
What Undercode Say:
Analytics indicate that this vulnerability is being actively discussed in security communities. The EPSS score is 0.10% (probability of exploitation in the wild), but given the widespread use of Symfony, the risk is elevated. The patch commit is available and has been merged into the main branches. Organizations are advised to prioritize updating, especially if they have `register_argc_argv=On` in their php.ini.
To check if your application is vulnerable, you can use the following Composer command:
composer show symfony/runtime | grep versions
To verify the PHP configuration:
php -i | grep register_argc_argv
A vulnerable setup will show register_argc_argv => On => On.
To test the vulnerability manually, you can craft a curl request:
curl 'http://vulnerable-app.com/?--env=dev' -v
Or with URL encoding to bypass `parse_str()`:
curl 'http://vulnerable-app.com/?%2D%2Denv=dev' -v
If the application responds with debug information or changes behavior, it is likely vulnerable.
Exploit:
An attacker can exploit this vulnerability by sending a GET request with a specially crafted query string. The goal is to make `$_GET` appear empty while `$_SERVER[‘argv’]` contains the desired flags. One known technique is to use a query string that `parse_str()` interprets as empty, such as a leading `?` or using certain character encodings. For example:
?--env=dev
In some SAPI implementations, this will populate `$_SERVER[‘argv’]
` with <code>--env=dev</code>, but `parse_str()` may return an empty array. The SymfonyRuntime then processes <code>$_SERVER['argv']</code>, changing `APP_ENV` to <code>dev</code>. <h2 style="color: blue;">More advanced payloads can toggle `APP_DEBUG`:</h2> [bash] ?--no-debug
Or combine both:
?--env=dev --no-debug
The attacker does not need authentication and can perform this attack remotely over HTTP.
Protection:
The primary protection is to upgrade to a patched version of Symfony:
– For 5.4 branch: upgrade to 5.4.52 or later.
– For 6.4 branch: upgrade to 6.4.40 or later.
– For 7.4 branch: upgrade to 7.4.12 or later.
– For 8.0 branch: upgrade to 8.0.12 or later.
If an immediate upgrade is not possible, you can apply the following workaround:
– Disable `register_argc_argv` in your php.ini: register_argc_argv = Off. Note that this may break CLI scripts that rely on $argv.
– Alternatively, you can manually patch the `SymfonyRuntime` class by replacing the `empty($_GET)` check with `!isset($_SERVER[‘QUERY_STRING’])` in the `getInput()` method. However, this is not recommended as it may be overwritten by future updates.
Additionally, you can use a Web Application Firewall (WAF) to block requests containing `–env` or `–no-debug` in the query string, though this is a temporary measure.
Impact:
Successful exploitation allows an attacker to:
- Change the application environment (e.g., from `prod` to
dev), potentially exposing sensitive configuration, debug tools, or enabling insecure error handling. - Enable debug mode (
APP_DEBUG=1), which can leak stack traces, database queries, and other internal information. - Alter the behavior of the application in ways that may lead to further attacks, such as privilege escalation or information disclosure.
The impact is considered moderate to high, as it can lead to the exposure of sensitive data and facilitate further compromise. The vulnerability is remotely exploitable without authentication, making it a significant risk for internet-facing applications.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

