CVE-2026-49212: Anthropic Python HMAC replay bypasses

Q: Is CVE-2026-49212 actively exploited?

No confirmed active exploitation of CVE-2026-49212 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-49212?

1. Upgrade symfony/ux-live-component to 2.36.0 (patch commit a224b5af3e2e33ee14ac71356ae0e0877900a81c covers both 2.x and 3.x branches). 2. No runtime workaround exists — the flaw is in the HMAC pre-image construction inside LiveComponentHydrator. 3. Audit all LiveProp-annotated properties with security significance (access tiers, feature flags, admin state, subscription controls) and confirm they cannot be influenced by cross-component prop replay. 4. Review server-side logs and component hydration events for anomalous or unexpected prop values on protected components. 5. If an immediate upgrade is blocked by compatibility constraints, replace read-only props that control security decisions with server-authoritative lookups that bypass the HMAC scheme entirely.

Q: What systems are affected by CVE-2026-49212?

This vulnerability affects the following AI/ML architecture patterns: Web-based AI/ML administration dashboards, Symfony-based model management and configuration frontends, Live component-driven AI feature-gating and subscription tier interfaces.

Q: What is the CVSS score for CVE-2026-49212?

No CVSS score has been assigned yet.

CISO Take

symfony/ux-live-component's server-side state protection uses HMAC signatures that omit the component name and slot identifier from the hash pre-image, meaning a valid signature minted for component A will verify on component B if their prop key names overlap — enabling cross-component and cross-slot replay attacks. A client-side attacker can exploit this to override read-only LiveProps (values the server explicitly marks as untamperable) with values they were only authorized to set as writable props on a different component, effectively bypassing any access control or security flag enforced through those props. The package has 5,435 downstream dependents and 16 prior CVEs in the same codebase, so exposure is meaningful for PHP/Symfony-based AI platform frontends that surface model configuration, subscription tiers, or feature gates through live components. No public exploit exists and the issue is absent from CISA KEV, but the cryptographic design flaw requires no specialized tooling — only knowledge of the target application's component structure. Upgrade to symfony/ux-live-component 2.36.0 immediately; no runtime workaround short of patching exists.

Sources: GitHub Advisory (GHSA-34w5-c283-j9fg) NVD ATLAS

What is the risk?

CVSS-rated low but the underlying cryptographic design flaw is well-understood and the exploit path is straightforward once an attacker maps component structure. The attack is entirely client-side, requires no credentials, and leaves no unusual authentication artifacts. Practical blast radius depends on whether the application's component graph has writable and read-only props sharing key names — a condition common in real-world Symfony UX apps that reuse domain models across components. For AI platforms using read-only props to gate inference tiers, quota limits, or admin flags, the business impact can materially exceed what the low severity label implies.

How does the attack unfold?

Component Reconnaissance

Attacker probes the Symfony application to enumerate live components, mapping read-only LiveProps controlling security-sensitive values and identifying writable props on other components with matching key names.

AML.T0006

Signed Blob Capture

Attacker legitimately interacts with a writable prop on a low-privilege component, capturing the HMAC-signed props blob returned by the server in the browser response.

AML.T0049

Cross-Component Replay

Attacker replays the captured signed blob against the target high-privilege component (or swaps it between props and propsFromParent slots), which the server accepts as valid due to missing context binding in the HMAC.

AML.T0049

Read-Only Prop Override

Server-side read-only props on the target component are set to attacker-chosen values, bypassing access controls, feature gates, or subscription tiers enforced through those props.

AML.T0107

Component Reconnaissance

Attacker probes the Symfony application to enumerate live components, mapping read-only LiveProps controlling security-sensitive values and identifying writable props on other components with matching key names.

AML.T0006

Signed Blob Capture

Attacker legitimately interacts with a writable prop on a low-privilege component, capturing the HMAC-signed props blob returned by the server in the browser response.

AML.T0049

Cross-Component Replay

Attacker replays the captured signed blob against the target high-privilege component (or swaps it between props and propsFromParent slots), which the server accepts as valid due to missing context binding in the HMAC.

AML.T0049

Read-Only Prop Override

Server-side read-only props on the target component are set to attacker-chosen values, bypassing access controls, feature gates, or subscription tiers enforced through those props.

AML.T0107

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	composer	>= 2.8.0, < 2.36.0	`2.36.0`
3.6K 5.4K dependents Pushed 9d ago 94% patched ~1d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade symfony/ux-live-component to 2.36.0 (patch commit a224b5af3e2e33ee14ac71356ae0e0877900a81c covers both 2.x and 3.x branches).
No runtime workaround exists — the flaw is in the HMAC pre-image construction inside LiveComponentHydrator.
Audit all LiveProp-annotated properties with security significance (access tiers, feature flags, admin state, subscription controls) and confirm they cannot be influenced by cross-component prop replay.
Review server-side logs and component hydration events for anomalous or unexpected prop values on protected components.
If an immediate upgrade is blocked by compatibility constraints, replace read-only props that control security decisions with server-authoritative lookups that bypass the HMAC scheme entirely.

How is it classified?

Auth Bypass Framework AML.T0049 - Exploit Public-Facing Application AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.9.3 - Cryptographic Controls and Data Integrity

NIST AI RMF

MS-2.5 - AI System Robustness and Security Testing

Frequently Asked Questions

What is CVE-2026-49212?

symfony/ux-live-component's server-side state protection uses HMAC signatures that omit the component name and slot identifier from the hash pre-image, meaning a valid signature minted for component A will verify on component B if their prop key names overlap — enabling cross-component and cross-slot replay attacks. A client-side attacker can exploit this to override read-only LiveProps (values the server explicitly marks as untamperable) with values they were only authorized to set as writable props on a different component, effectively bypassing any access control or security flag enforced through those props. The package has 5,435 downstream dependents and 16 prior CVEs in the same codebase, so exposure is meaningful for PHP/Symfony-based AI platform frontends that surface model configuration, subscription tiers, or feature gates through live components. No public exploit exists and the issue is absent from CISA KEV, but the cryptographic design flaw requires no specialized tooling — only knowledge of the target application's component structure. Upgrade to symfony/ux-live-component 2.36.0 immediately; no runtime workaround short of patching exists.

Is CVE-2026-49212 actively exploited?

No confirmed active exploitation of CVE-2026-49212 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49212?

1. Upgrade symfony/ux-live-component to 2.36.0 (patch commit a224b5af3e2e33ee14ac71356ae0e0877900a81c covers both 2.x and 3.x branches). 2. No runtime workaround exists — the flaw is in the HMAC pre-image construction inside LiveComponentHydrator. 3. Audit all LiveProp-annotated properties with security significance (access tiers, feature flags, admin state, subscription controls) and confirm they cannot be influenced by cross-component prop replay. 4. Review server-side logs and component hydration events for anomalous or unexpected prop values on protected components. 5. If an immediate upgrade is blocked by compatibility constraints, replace read-only props that control security decisions with server-authoritative lookups that bypass the HMAC scheme entirely.

What systems are affected by CVE-2026-49212?

This vulnerability affects the following AI/ML architecture patterns: Web-based AI/ML administration dashboards, Symfony-based model management and configuration frontends, Live component-driven AI feature-gating and subscription tier interfaces.

What is the CVSS score for CVE-2026-49212?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Web-based AI/ML administration dashboardsSymfony-based model management and configuration frontendsLive component-driven AI feature-gating and subscription tier interfaces

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

ISO 42001: A.9.3

NIST AI RMF: MS-2.5

What are the technical details?

Original Advisory

### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-annotated properties). Props marked `writable: true` can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is protected by an HMAC so the client cannot tamper with them. Child components additionally receive a `propsFromParent` blob, also HMAC-signed. The HMAC computed by `Symfony\UX\LiveComponent\LiveComponentHydrator` covered only the sorted prop key/value pairs. It didn't include the component name, the slot identifier (`props` vs `propsFromParent`), or any request context, and a single application-wide secret is used for every component. A signed blob the server minted for component A is therefore a valid signature for component B if the key names happen to match, and a `props` blob can be replayed in the `propsFromParent` slot (or the reverse). An attacker can use this to set a read-only prop on a target component to a value they were only ever allowed to choose as a writable prop on another component. ### Resolution The HMAC is now bound to its context: the component name and a slot identifier are included in the pre-image before hashing. Two constants (`CHECKSUM_SLOT_PROPS` and `CHECKSUM_SLOT_PROPS_FROM_PARENT`) name the two slots, and `calculateChecksum()`, `verifyChecksum()`, `addChecksumToData()`, and `ChildComponentPartialRenderer` thread these values through. Cross-component and cross-slot replays no longer verify. The patch for this issue is available [here](https://github.com/symfony/ux/commit/a224b5af3e2e33ee14ac71356ae0e0877900a81c) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Anthropic (via Project Glasswing) for reporting the issue and Hugo Alliaume for providing the fix.

Exploitation Scenario

An attacker on a Symfony-based AI platform identifies two live components: a PremiumFeaturesComponent with a read-only prop `subscription_tier: "basic"` and a UserPreferencesComponent with a writable prop of the same key name. The attacker legitimately submits the user preferences form at their `basic` tier, capturing the HMAC-signed props blob the server returns. Because the HMAC excludes the component name and slot identifier, the attacker replays this blob against PremiumFeaturesComponent's props slot in a crafted request. The server validates the HMAC as correct, accepts the tampered state, and the attacker's session is rendered as `premium` tier — unlocking gated AI inference features, higher rate limits, or compliance evidence packs without a paid subscription.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.