EXECUTIVE SUMMARY:
CVE-2026-48489 with a CVSS score of 8.2 is an authorization bypass vulnerability affecting the Symfony security-http component when the failure_forward: true option is enabled with form-based authentication. The flaw occurs because the authentication failure handler accepts a user-controlled _failure_path parameter and generates an internal subrequest that bypasses Symfony firewall and access_control checks. An unauthenticated attacker can exploit this behavior by sending a crafted login request and forcing access to protected GET endpoints, including administrative pages, internal APIs, account views, and data export functions, without valid credentials. Successful exploitation may result in unauthorized disclosure of sensitive information and circumvention of application security controls. Users are advised to upgrade to the patched versions immediately.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48489 with a CVSS score of 8.2 is an authorization bypass vulnerability affecting the Symfony security-http component when the failure_forward: true option is enabled with form-based authentication. The flaw occurs because the authentication failure handler accepts a user-controlled _failure_path parameter and generates an internal subrequest that bypasses Symfony firewall and access_control checks. An unauthenticated attacker can exploit this behavior by sending a crafted login request and forcing access to protected GET endpoints, including administrative pages, internal APIs, account views, and data export functions, without valid credentials. Successful exploitation may result in unauthorized disclosure of sensitive information and circumvention of application security controls. Users are advised to upgrade to the patched versions immediately.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6h46-9jf5-q59x