CVE-2026-54736
Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
4th
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.
| CWE | CWE-208 CWE-347 |
| Vendor | phalcon |
| Product | cphalcon |
| Published | Jul 10, 2026 |
| Last Updated | Jul 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for phalcon cphalcon
Be the first to know when new unknown vulnerabilities affecting phalcon cphalcon are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
phalcon / cphalcon
< 5.14.1
References
github.com: https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj github.com: https://github.com/phalcon/cphalcon/issues/17090 github.com: https://github.com/phalcon/cphalcon/pull/17091 github.com: https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137 github.com: https://github.com/phalcon/cphalcon/releases/tag/v5.14.1