Back to overview

CVE-2026-54736

HIGH
8.2
CVSS 4.0
Description
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.

Metadata

CVE ID
CVE-2026-54736
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 23:07 UTC
Published
2026-07-10 21:02 UTC
Last updated
2026-07-10 21:02 UTC
Primary CWE
CWE-208
CWE-208: Observable Timing Discrepancy
Vendor / Product
phalcon / cphalcon
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
phalcon cphalcon < 5.14.1
Weakness (CWE)
CWESourceDescription
CWE-208 cna CWE-208: Observable Timing Discrepancy
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References (5)
Back to overview