Lucene search
+L

4 matches found

nvd
nvd
added 3 days ago4 views

CVE-2026-45069

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, OidcTokenHandler::verifyClaims registered audience aud, issuer iss, and expiry exp checkers but did not pass the mandatory claims list to...

9.1CVSS0.00232EPSS
Exploits0References4
osv
osv
added 2026/05/27 9:3 p.m.10 views

GHSA-29FC-P6C4-24CG Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References6
github
github
added 2026/05/27 9:3 p.m.18 views

Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

9.1CVSS5.8AI score0.00232EPSS
Exploits0References6Affected Software2
ptsecurity
ptsecurity
added 2026/05/21 12:0 a.m.13 views

PT-2026-44138

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 6.4 Description The OidcTokenHandler component, used for OpenID Connect access-token handling, fails to properly validate mandatory claims in bearer JWTs. While it registers checkers for audience aud, issuer iss, and...

8.8CVSS6.1AI score0.00232EPSS
Exploits0References17
Rows per page
Query Builder