CVE-2026-42551 Overview
Flight is an extensible micro-framework for PHP used to build web applications and APIs. Versions prior to 3.18.1 contain a flaw in Request::getMethod() that unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb. There is no opt-in mechanism and no whitelist of permitted target methods. An attacker can transform a safe GET request into a DELETE or PUT, enabling Cross-Site Request Forgery (CSRF) escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between Content Delivery Network (CDN) and origin servers. The vulnerability is fixed in Flight 3.18.1.
Critical Impact
Attackers can convert safe HTTP verbs into destructive ones, bypassing CSRF protections and middleware that whitelist only unsafe methods.
Affected Products
- flightphp/core prior to version 3.18.1
- PHP applications using Flight micro-framework for routing
- Deployments with CDN or reverse proxy caching layers in front of Flight
Discovery Timeline
- 2026-05-13 - CVE-2026-42551 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42551
Vulnerability Analysis
The flaw is an Interpretation Conflict [CWE-436] between intermediaries and the Flight application. Flight's Request::getMethod() resolves the effective HTTP method by checking, in order, the X-HTTP-Method-Override request header and the _method body or query parameter. The implementation applies this override to every incoming request without restriction. A GET request carrying X-HTTP-Method-Override: DELETE is dispatched to routes registered for DELETE. Upstream components such as CDNs, web application firewalls, and middleware see only the original GET and treat the request as safe and idempotent.
Root Cause
The override logic lacks two controls that frameworks typically enforce. First, it does not require the originating request to use POST, which is the convention established by Ruby on Rails and adopted by Symfony and Laravel. Second, it does not restrict override targets to a permitted set such as PUT, PATCH, and DELETE. Without these constraints, the framework trusts arbitrary client-supplied input to select the route handler.
Attack Vector
An attacker hosts a page that triggers a cross-origin GET to the target endpoint, appending ?_method=DELETE or setting the override header through a simple form or image tag. The victim's browser sends authentication cookies, the Flight application interprets the request as DELETE, and the destructive handler executes. CDN edges cache the GET response or pass it through, while the origin treats the same request as state-changing. Middleware that enforces CSRF tokens only on POST, PUT, PATCH, and DELETE never inspects the request because it arrives as GET.
The vulnerability mechanism is documented in the Flight GitHub Security Advisory GHSA-vxrr-w42w-w76g.
Detection Methods for CVE-2026-42551
Indicators of Compromise
- HTTP access logs showing GET requests that contain an X-HTTP-Method-Override header with values such as DELETE, PUT, or PATCH
- Query strings or form bodies containing _method=DELETE, _method=PUT, or _method=PATCH on GET requests
- CDN or reverse proxy logs reporting cache hits for URLs that downstream application logs show as state-changing operations
Detection Strategies
- Audit web server and application logs for requests where the wire-level method is GET but the dispatched route handler corresponds to a destructive operation
- Inspect Flight routing telemetry for handler invocations that do not match the inbound HTTP verb recorded by the web server
- Correlate authentication events with cross-origin Referer headers on requests that triggered destructive route handlers
Monitoring Recommendations
- Enable verbose logging of HTTP method, X-HTTP-Method-Override header, and _method parameter on all routes during incident response
- Alert on any inbound request where X-HTTP-Method-Override is present and the wire method is GET or HEAD
- Monitor CDN purge and cache-poisoning indicators against Flight-backed origins
How to Mitigate CVE-2026-42551
Immediate Actions Required
- Upgrade flightphp/core to version 3.18.1 or later using Composer
- Inventory deployed Flight applications and identify versions through composer.lock files across all environments
- Review CSRF middleware to confirm it inspects requests regardless of the apparent HTTP method until the patch is applied
Patch Information
Flight 3.18.1 fixes the vulnerability. Update with composer require flightphp/core:^3.18.1 and redeploy the application. Confirm the upgrade by checking the installed version in composer.lock. Refer to the Flight GitHub Security Advisory for full remediation details.
Workarounds
- Strip the X-HTTP-Method-Override header at the reverse proxy or CDN layer before requests reach the Flight application
- Reject or normalize requests where the _method parameter appears on GET or HEAD requests at the web server level
- Apply CSRF token validation to all routes including those registered as GET until the upgrade is deployed
# Nginx example: strip override header and reject _method on GET
proxy_set_header X-HTTP-Method-Override "";
if ($request_method = GET) {
if ($arg__method) { return 400; }
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
