If you're running Laravel 13.x before 13.12.0 or any version before 12.61.1, your application is exposed to a security policy bypass — CVE-2026-48041, published June 8, 2026.
What's the Scope?
The French government CERT-FR advisory CERTFR-2026-AVI-0703 pins two version ranges: Laravel 13.x prior to 13.12.0, and all 12.x (and earlier) before 12.61.1. The root cause remains under wraps for now — the bulletin points to GitHub advisory GHSA-crmm-hgp2-wgrp for details, which likely contains the full writeup and patch diff.
What Does the Bug Do?
"Contournement de la politique de sécurité" — security policy bypass. That's all CERT-FR says. No public exploit yet, but the lack of technical detail doesn't mean you can sit on this. Laravel powers hundreds of thousands of production apps; a bypass that lets an attacker circumvent authentication, authorization, or middleware guards is a direct path to account takeover or data exfiltration.
Patch Now, Not Later
The fix is waiting: upgrade to Laravel 13.12.0 or 12.61.1 (or later). If you maintain a custom fork or a locked dependency tree, pull the commit from the advisory repo. Assume attackers will reverse-engineer the patch within hours — static diffs on open-source projects are trivial to weaponize.
The Bottom Line
Check your composer.json tonight. CVE-2026-48041 has a hard deadline: the advisory is live, and the window for proactive patching closes fast.
Source: Vulnérabilité dans Laravel (08 juin 2026)
Domain: cert.ssi.gouv.fr
Comments load interactively on the live page.