User Impersonation Affecting silverstripe/framework package, versions >=3.1.0, <3.1.17-rc2>=3.2.0, <3.2.2-rc2>=3.3.0-beta1, <3.3.0-rc3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SILVERSTRIPEFRAMEWORK-17391921
- published21 Jun 2026
- disclosed19 Jun 2026
- creditPatrick Nelson
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-290 (opens in a new tab)How to fix?
Upgrade silverstripe/framework to version 3.1.17-rc2, 3.2.2-rc2, 3.3.0-rc3 or higher.
Overview
silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.
Affected versions of this package are vulnerable to User Impersonation via insufficient validation of proxy-related HTTP headers. An attacker can spoof client IP addresses, hostnames, or protocols by supplying crafted forwarding headers that are trusted when requests pass through a reverse proxy. Because SilverStripe accepts multiple proxy header variants and relies on proxies to remove untrusted headers, spoofed values may bypass SSL enforcement, defeat IP-based restrictions, or circumvent hostname-specific access controls.
Note:
This issue primarily affects deployments behind reverse proxies that do not explicitly remove untrusted forwarding headers.
Deployments not using a reverse proxy may already be protected by Apache with
mod_envenabled andSetEnv BlockUntrustedIPs true.