{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-54736","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-15T23:07:33.233Z","datePublished":"2026-07-10T21:02:53.873Z","dateUpdated":"2026-07-10T21:02:53.873Z"},"containers":{"cna":{"title":"Phalcon: Non-constant-time HMAC verification in `Encryption\\Crypt::decrypt` (timing side-channel)","problemTypes":[{"descriptions":[{"cweId":"CWE-208","lang":"en","description":"CWE-208: Observable Timing Discrepancy","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-347","lang":"en","description":"CWE-347: Improper Verification of Cryptographic Signature","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj","tags":["x_refsource_CONFIRM"],"url":"https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj"},{"name":"https://github.com/phalcon/cphalcon/issues/17090","tags":["x_refsource_MISC"],"url":"https://github.com/phalcon/cphalcon/issues/17090"},{"name":"https://github.com/phalcon/cphalcon/pull/17091","tags":["x_refsource_MISC"],"url":"https://github.com/phalcon/cphalcon/pull/17091"},{"name":"https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137","tags":["x_refsource_MISC"],"url":"https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137"},{"name":"https://github.com/phalcon/cphalcon/releases/tag/v5.14.1","tags":["x_refsource_MISC"],"url":"https://github.com/phalcon/cphalcon/releases/tag/v5.14.1"}],"affected":[{"vendor":"phalcon","product":"cphalcon","versions":[{"version":"< 5.14.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T21:02:53.873Z"},"descriptions":[{"lang":"en","value":"Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\\Encryption\\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1."}],"source":{"advisory":"GHSA-8jqh-95g6-7jpj","discovery":"UNKNOWN"}}}}