CVE-2019-18886
Description
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7 allow user enumeration via different error handling in the 'switch users' functionality.
Vulnerability
Overview
An issue discovered in Symfony versions 4.2.0 through 4.2.11 and 4.3.0 through 4.3.7 allows user enumeration due to differing responses when attempting to use the switch users functionality with an unauthorized session [1][2][3]. The root cause is in the symfony/security component, specifically within the SecurityCore bundle where it fails to throw an AccessDeniedException consistently [4]. This creates a distinguishable difference in behavior depending on whether the target user exists in the system.
Exploitation
An attacker can exploit this by sending unauthorized requests to initiate a switch user operation with a target username. If the user does not exist, the system returns one type of error or response; if the user exists but the switch fails due to lack of permissions, a different error or response is returned. This discrepancy allows an unauthenticated or low-privileged attacker to enumerate valid usernames without needing to authenticate as the target or have the appropriate switch permissions [1][2][3]. The attack requires network access to the application and the ability to send switch user requests.
Impact
A successful enumeration attack enables an adversary to compile a list of valid usernames, which can be used for further targeted attacks such as credential stuffing, phishing, or brute force password guessing. While the vulnerability does not directly expose sensitive data or grant elevated privileges, it significantly lowers the barrier for subsequent attacks by confirming user existence [1][2][3].
Mitigation
The vulnerability is fixed in Symfony versions 4.2.12 and 4.3.8 [4]. Users are strongly advised to upgrade to these versions or later. If immediate upgrade is not possible, restricting access to the switch users functionality and monitoring for enumeration attempts can serve as partial workarounds. No evidence of active exploitation has been cited, but the fix is part of a security release [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-httpPackagist | >= 4.1.0, < 4.2.12 | 4.2.12 |
symfony/security-httpPackagist | >= 4.3.0, < 4.3.8 | 4.3.8 |
symfony/symfonyPackagist | >= 4.1.0, < 4.2.12 | 4.2.12 |
symfony/symfonyPackagist | >= 4.3.0, < 4.3.8 | 4.3.8 |
Affected products
3- symfony/symfonydescription
- ghsa-coords2 versions
>= 4.1.0, < 4.2.12+ 1 more
- (no CPE)range: >= 4.1.0, < 4.2.12
- (no CPE)range: >= 4.1.0, < 4.2.12
Patches
187fb08703e62Merge pull request #34352 from fabpot/release-4.3.8
2 files changed · +12 −2
CHANGELOG-4.3.md+10 −0 modified@@ -7,6 +7,16 @@ in 4.3 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v4.3.0...v4.3.1 +* 4.3.8 (2019-11-13) + + * bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas) + * security #cve-2019-18886 [Security\Core] throw AccessDeniedException when switch user fails (nicolas-grekas) + * security #cve-2019-18888 [Mime] fix guessing mime-types of files with leading dash (nicolas-grekas) + * security #cve-2019-11325 [VarExporter] fix exporting some strings (nicolas-grekas) + * security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas) + * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) + * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) + * 4.3.7 (2019-11-11) * bug #34294 [Workflow] Fix error when we use ValueObject for the marking property (FabienSalles)
src/Symfony/Component/HttpKernel/Kernel.php+2 −2 modified@@ -73,12 +73,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl private $requestStackSize = 0; private $resetServices = false; - const VERSION = '4.3.8-DEV'; + const VERSION = '4.3.8'; const VERSION_ID = 40308; const MAJOR_VERSION = 4; const MINOR_VERSION = 3; const RELEASE_VERSION = 8; - const EXTRA_VERSION = 'DEV'; + const EXTRA_VERSION = ''; const END_OF_MAINTENANCE = '01/2020'; const END_OF_LIFE = '07/2020';
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-4vpc-5jx4-cfqgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-18886ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2019-18886.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18886.yamlghsaWEB
- github.com/symfony/symfony/releases/tag/v4.3.8ghsax_refsource_MISCWEB
- symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionalityghsax_refsource_CONFIRMWEB
- symfony.com/blog/symfony-4-3-8-releasedghsax_refsource_MISCWEB
- symfony.com/cve-2019-18886ghsaWEB
News mentions
0No linked articles in our index yet.