Description "X509Authenticator" implements client-certificate (mTLS) authentication: the web server validates the client's certificate against a trusted CA, then passes the certificate's Subject DN (Distinguished Name: a string like "CN=Alice,O=Example,emailAddress=alice@example.com") to Symfony via "$_SERVER['SSL_CLIENT_S_DN']". Symfony extracts the user identifier from that string. The extraction uses an unanchored regex that matches "emailAddress=" anywhere in the DN string: including inside the value of a different RDN (Relative Distinguished Name: one "key=value" component of the DN), such as "CN". An attacker who can obtain a certificate from a trusted CA with a free-text "CN" can smuggle "emailAddress=victim@target" inside the CN value and be authenticated as the victim. Resolution The "X509Authenticator" now uses a regex that anchors the match to an RDN boundary (start of string, or following a "," / "/" separator). The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/ccb3f724c7ff55670a6fe3521c7bf1514cceb478) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.