UBUNTU-CVE-2026-45074
A vulnerability in the Symfony PHP framework versions prior to 7.4.12 and 8.0.12 allows an attacker to exploit the CAS service parameter construction from an attacker-controlled Host header when framework.trusted_hosts is not configured. This can enable an attacker controlling another application registered with the same CAS server to replay a victim's ticket and authenticate as that victim. The issue is fixed in Symfony versions 7.4.12 and 8.0.12.
AI Analysis
Technical Summary
Symfony versions from 7.1.0 until 7.4.12 and 8.0.12 build the CAS service parameter using Request::getSchemeAndHttpHost(), which reflects the Host header. If the framework.trusted_hosts configuration is not set, an attacker controlling another application registered with the same CAS server can replay a victim's ticket against the Symfony application and authenticate as the victim. This vulnerability is resolved in versions 7.4.12 and 8.0.12.
Potential Impact
An attacker who controls another application registered with the same CAS server can replay a victim's ticket against a vulnerable Symfony application and authenticate as that victim. This can lead to unauthorized access to the victim's account or privileges within the Symfony application.
Mitigation Recommendations
Upgrade Symfony to version 7.4.12 or 8.0.12 or later where this vulnerability is fixed. Additionally, ensure that the framework.trusted_hosts configuration is properly set to prevent reflection of attacker-controlled Host headers. Patch status is confirmed fixed in versions 7.4.12 and 8.0.12.
UBUNTU-CVE-2026-45074
Description
A vulnerability in the Symfony PHP framework versions prior to 7.4.12 and 8.0.12 allows an attacker to exploit the CAS service parameter construction from an attacker-controlled Host header when framework.trusted_hosts is not configured. This can enable an attacker controlling another application registered with the same CAS server to replay a victim's ticket and authenticate as that victim. The issue is fixed in Symfony versions 7.4.12 and 8.0.12.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]?arch=source&distro=xenialpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1+esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu8+esm1?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+dfsg-3ubuntu3+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]+dfsg-1?arch=source&distro=questingpkg:deb/ubuntu/[email protected]+dfsg-1ubuntu1?arch=source&distro=resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Symfony versions from 7.1.0 until 7.4.12 and 8.0.12 build the CAS service parameter using Request::getSchemeAndHttpHost(), which reflects the Host header. If the framework.trusted_hosts configuration is not set, an attacker controlling another application registered with the same CAS server can replay a victim's ticket against the Symfony application and authenticate as the victim. This vulnerability is resolved in versions 7.4.12 and 8.0.12.
Potential Impact
An attacker who controls another application registered with the same CAS server can replay a victim's ticket against a vulnerable Symfony application and authenticate as that victim. This can lead to unauthorized access to the victim's account or privileges within the Symfony application.
Mitigation Recommendations
Upgrade Symfony to version 7.4.12 or 8.0.12 or later where this vulnerability is fixed. Additionally, ensure that the framework.trusted_hosts configuration is properly set to prevent reflection of attacker-controlled Host headers. Patch status is confirmed fixed in versions 7.4.12 and 8.0.12.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-45074
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:16.04:LTS","Ubuntu:Pro:18.04:LTS","Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4ac68715ace43da936c
Added to database: 07/16/2026, 10:38:36 UTC
Last enriched: 07/16/2026, 12:47:30 UTC
Last updated: 07/16/2026, 12:47:30 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.