CVE-2026-45074

Name of the Vulnerable Software and Affected Versions Symfony version 7.4 (affected versions not specified)

Description The Cas2Handler builds the service parameter using Request::getSchemeAndHttpHost(), which reflects the HTTP Host header when the framework.trusted hosts setting is not configured. This allows an attacker who controls another application registered with the same CAS server to spoof the Host header and replay a victim's ticket against the application to be authenticated as that victim.

Recommendations Configure the new required service url option on Cas2Handler to ensure the CAS service parameter is built from a configured URL instead of the request's Host header.