PT-2026-44138

🗓️ 27 May 2026 00:00:00Reported by Positive TechnologiesType

ptsecurity

ptsecurity🔗 dbugs.ptsecurity.com👁 3 Views

OidcTokenHandler now passes claims to the claim checker to reject tokens missing aud, iss, or exp.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2026-45069	20 May 202610:58	–	circl
CVE	CVE-2026-45069	1 Jan 197000:00	–	cve
Debian	[SECURITY] [DSA 6312-1] symfony security update	31 May 202612:26	–	debian
Debian CVE	CVE-2026-45069	1 Jan 197000:00	–	debiancve
Tenable Nessus	Debian dsa-6312 : php-symfony - security update	1 Jun 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-45069	21 May 202600:00	–	nessus
Friends Of PHP	CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims	1 Jan 197000:00	–	friendsofphp
Friends Of PHP	CVE-2026-45069: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims	1 Jan 197000:00	–	friendsofphp
Github Security Blog	Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims	27 May 202621:03	–	github
OSV	DEBIAN-CVE-2026-45069	21 May 202605:48	–	osv

Source	Link
osv	www.osv.dev/vulnerability/GHSA-29fc-p6c4-24cg
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45069.yaml
github	www.github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d
github	www.github.com/symfony/symfony/security/advisories/GHSA-29fc-p6c4-24cg
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45069.yaml
github	www.github.com/symfony/symfony
symfony	www.symfony.com/cve-2026-45069

27 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 47.1

OpenID Connect Token validation Audience check Issuer check Expiry check Claim checker Mandatory claims Symfony