CVE-2026-45063

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4

Description The X509Authenticator component, which implements client-certificate (mTLS) authentication, contains a flaw in how it extracts user identifiers from the Subject DN (Distinguished Name) provided via $ SERVER['SSL CLIENT S DN']. The extraction process uses an unanchored regular expression to find emailAddress=, which allows the pattern to match anywhere within the DN string, including inside the value of a different Relative Distinguished Name (RDN), such as the Common Name (CN). An attacker possessing a certificate from a trusted CA with a free-text CN can insert emailAddress=victim@target into the CN value to be authenticated as the victim.

Recommendations Update to the patched version of branch 5.4.