CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-45075

highcovered by 1 sourcefirst seen 2026-05-27
Description Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request. On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped. Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur. Resolution When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically. The patch for this issue is available here for branch 7.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.

⚡ Watch CVE-2026-45075

Get an email if CVE-2026-45075 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-45075

CVE.org record

Embed the live status

CVE-2026-45075 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-45075 status](https://www.csirts.com/badge/CVE-2026-45075)](https://www.csirts.com/cve/CVE-2026-45075)