Missing Authentication for Critical Function in symfony/mailtrap-mailer | CVE-2026-45755

Q: How to fix?

Upgrade symfony/mailtrap-mailer to version 7.4.12, 8.0.12 or higher.

Introduced: 20 May 2026

NewCVE-2026-45755 (opens in a new tab) CWE-306 (opens in a new tab)

How to fix?

Upgrade symfony/mailtrap-mailer to version 7.4.12, 8.0.12 or higher.

Overview

symfony/mailtrap-mailer is a Symfony Mailtrap Mailer Bridge

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse() webhook request parser in the Mailtrap mailer bridge. An attacker can submit forged webhook events because the parser ignores the X-Mt-Signature HMAC header and never validates the configured webhook secret, allowing unauthenticated POST requests to be processed as legitimate Mailtrap callbacks. This can lead to falsified delivery, bounce, open, click, or spam events, resulting in suppression-list corruption and delivery-metrics manipulation.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Missing Authentication for Critical Function Affecting symfony/mailtrap-mailer package, versions <7.4.12>=8.0.0-BETA1, <8.0.12

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 20 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk