CVE-2026-49212
Received Received - Intake

HMAC Signature Reuse in Symfony UX LiveComponent

Vulnerability report for CVE-2026-49212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier (props vs propsFromParent), or request context, allowing a signed blob minted for one component or slot to be replayed in another and set a read-only prop on a target component. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
symfony ux 3.*
symfony ux 2.x
symfony ux 3.x
symfony ux From 2.8.0 (inc) to 2.36.0 (inc)
symfony ux 3.1.0
symfony ux 2.36.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Symfony UX LiveComponent versions between 2.8.0 and 2.36.0 and 3.1.0. The HMAC checksum used to protect component state integrity only covered sorted prop key-value pairs without binding to the component name, slot identifier, or request context. This allowed attackers to reuse a valid HMAC signature from one component or slot in another context where prop names matched, enabling unauthorized modification of read-only props.

Detection Guidance

Check Symfony UX LiveComponent versions for affected releases (2.8.0 to 2.36.0 and 3.0.0 to 3.0.x). Inspect component hydration payloads for mismatched HMAC signatures or reused checksums across different components or slots. Review logs for unauthorized prop modifications in read-only components.

Impact Analysis

An attacker could exploit this to modify read-only props in a target component by replaying a valid HMAC signature from another component or slot. This could lead to unintended behavior, data corruption, or bypassing security controls that rely on read-only prop restrictions. The impact depends on how the affected component is used in the application.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized modification of component state through replay attacks. If exploited, it may lead to improper data handling or integrity violations, which are key concerns under these regulations.

Mitigation Strategies

Upgrade Symfony UX LiveComponent to versions 2.36.0 or 3.1.0 or later. After upgrading, reload pages to invalidate old payloads. Ensure HMAC verification includes component name and slot identifier in checksum calculations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart