CVE-2026-45069

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 6.4

Description The OidcTokenHandler component, used for OpenID Connect access-token handling, fails to properly validate mandatory claims in bearer JWTs. While it registers checkers for audience (aud), issuer (iss), and expiry (exp), it does not pass the $mandatoryClaims argument to the ClaimCheckerManager::check() function. Consequently, the system only validates claims that are present in the token and silently skips those that are missing. This allows a validly-signed JWT that omits the aud, iss, and exp claims to pass verification.

Recommendations Update to version 6.4 or later.