PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49212 symfony CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.930Z and has not been modified since then. Symfony UX LiveComponentHydrator has a HMAC weakness allowing replay attacks. Users of Symfony UX LiveComponentHydrator should verify their installations and update to versions 2.36.0 or 3.1.0.

Vendor
symfony
Product
ux
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Symfony UX LiveComponentHydrator should verify their installations and update to versions 2.36.0 or 3.1.0 to address the HMAC weakness. This affects users with Symfony UX LiveComponentHydrator deployments.

Technical summary

The HMAC computed by Symfony UX LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, slot identifier, or request context. This allowed a signed blob for one component or slot to be replayed in another, setting a read-only prop on a target component. The issue is fixed in versions 2.36.0 and 3.1.0. Users of Symfony UX LiveComponentHydrator should verify their installations and update to versions 2.36.0 or 3.1.0 to address the HMAC weakness, which could allow replay attacks. This affects users with Symfony UX LiveComponentHydrator deployments. Further analysis and verification are recommended due to limited CVE record and NVD entry detail.

Defensive priority

Medium priority due to the potential for replay attacks.

Recommended defensive actions

  • Verify Symfony UX LiveComponentHydrator installations and update to versions 2.36.0 or 3.1.0.
  • Review and adjust HMAC computation to include component name, slot identifier, and request context.
  • Monitor for potential replay attacks and implement compensating controls as needed.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD entry provide limited detail. Further analysis and verification are recommended. The HMAC weakness in Symfony UX LiveComponentHydrator allows replay attacks. Users should verify installations and update to fixed versions. Defensive measures include monitoring and compensating controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.930Z and has not been modified since then.