๐Ÿ” CVE Alert

CVE-2026-54736

UNKNOWN 0.0

Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)

CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
4th

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.

CWE CWE-208 CWE-347
Vendor phalcon
Product cphalcon
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for phalcon cphalcon

Be the first to know when new unknown vulnerabilities affecting phalcon cphalcon are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

phalcon / cphalcon
< 5.14.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj github.com: https://github.com/phalcon/cphalcon/issues/17090 github.com: https://github.com/phalcon/cphalcon/pull/17091 github.com: https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137 github.com: https://github.com/phalcon/cphalcon/releases/tag/v5.14.1