Publication date:
Severity:
Affected versions: Ibexa DXP v5.0.* (ibexa/core v5.0.*)
Resolving versions: Ibexa DXP v5.0.7 (ibexa/core v5.0.7)
20/04/2026, 14:50
Severity:
High
Affected versions: Ibexa DXP v5.0.* (ibexa/core v5.0.*)
Resolving versions: Ibexa DXP v5.0.7 (ibexa/core v5.0.7)
The vulnerability is of critical severity. Access control patterns configured under access_control in security.yaml were not added to the anonymous user access listener as they should have been.
This lead to routes being accessible to anonymous users, even when explicitly configured to disallow it by using access_control. If you have no such custom access control patterns configured, you are not affected.
You can read more about access control in Symfony here: https://symfony.com/doc/7.4/security/access_control.html
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/reporting_issues/
