4 matches found
CVE-2026-45069
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, OidcTokenHandler::verifyClaims registered audience aud, issuer iss, and expiry exp checkers but did not pass the mandatory claims list to...
GHSA-29FC-P6C4-24CG Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...
Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...
PT-2026-44138
Name of the Vulnerable Software and Affected Versions Symfony versions prior to 6.4 Description The OidcTokenHandler component, used for OpenID Connect access-token handling, fails to properly validate mandatory claims in bearer JWTs. While it registers checkers for audience aud, issuer iss, and...