CVE-2026-45069

Description

### Description `OidcTokenHandler` is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the `web-token/jwt-checker` library's `ClaimCheckerManager`. `OidcTokenHandler::verifyClaims()` registers audience (`aud`), issuer (`iss`), and expiry (`exp`) checkers, but never passes the `$mandatoryClaims` argument to `ClaimCheckerManager::check()`. That method only validates claims that are *present* in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply **omits** `aud`, `iss`, and `exp` therefore passes verification. ### Resolution The `OidcTokenHandler` now calls the `ClaimCheckerManager` with the list of mandatory claims so that tokens missing `aud`, `iss`, or `exp` are rejected. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d) for branch 6.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Affected packages (3)

• Debian/symfonyfrom 0
• Packagist/symfony/security-http>= 6.3.0, < 6.4.40
• Packagist/symfony/symfony>= 6.3.0, < 6.4.40

CVSS scores

References (7)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45069
• PATCHhttps://github.com/symfony/symfony
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45069.yaml
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45069.yaml
• WEBhttps://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d
• WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-29fc-p6c4-24cg
• WEBhttps://symfony.com/cve-2026-45069