diff --git a/CHANGELOG.md b/CHANGELOG.md
index 923997a4f..8992be283 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ Bugfixes:
 
   We do not think this vulnerability can be exploited in Engineblock, but if
   you are running EB in production, it might be wise to upgrade to this version anyway.
+* Update xmlseclibs dependency to fix canonicalization bypass error
 
 ## 6.18.0
 
diff --git a/composer.json b/composer.json
index 1ed6a7022..1a7d2d33f 100644
--- a/composer.json
+++ b/composer.json
@@ -130,7 +130,7 @@
             }
         ],
         "patches": {
-            "symfony/http-foundation": {
+            "symfony/symfony": {
                 "CVE fix for PATH_INFO vulnerability": "patches/symfony-http-foundation-path-info-cve.patch"
             }
         }
diff --git a/composer.lock b/composer.lock
index 5008e0367..09183abfb 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "7dcd1508425a1b7a2d07485698a9c88c",
+    "content-hash": "b9dfa84eba00028f8b823b55d28c665d",
     "packages": [
         {
             "name": "beberlei/assert",
@@ -2679,16 +2679,16 @@
         },
         {
             "name": "robrichards/xmlseclibs",
-            "version": "3.1.3",
+            "version": "3.1.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/robrichards/xmlseclibs.git",
-                "reference": "2bdfd742624d739dfadbd415f00181b4a77aaf07"
+                "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/2bdfd742624d739dfadbd415f00181b4a77aaf07",
-                "reference": "2bdfd742624d739dfadbd415f00181b4a77aaf07",
+                "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/bc87389224c6de95802b505e5265b0ec2c5bcdbd",
+                "reference": "bc87389224c6de95802b505e5265b0ec2c5bcdbd",
                 "shasum": ""
             },
             "require": {
@@ -2715,9 +2715,9 @@
             ],
             "support": {
                 "issues": "https://github.com/robrichards/xmlseclibs/issues",
-                "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.3"
+                "source": "https://github.com/robrichards/xmlseclibs/tree/3.1.4"
             },
-            "time": "2024-11-20T21:13:56+00:00"
+            "time": "2025-12-08T11:57:53+00:00"
         },
         {
             "name": "sensio/framework-extra-bundle",
diff --git a/patches/symfony-http-foundation-path-info-cve.patch b/patches/symfony-http-foundation-path-info-cve.patch
index c97701643..ad1392884 100644
--- a/patches/symfony-http-foundation-path-info-cve.patch
+++ b/patches/symfony-http-foundation-path-info-cve.patch
@@ -1,8 +1,6 @@
---- a/vendor/symfony/http-foundation/Request.php
-+++ b/vendor/symfony/http-foundation/Request.php
-@@ -1984,9 +1984,9 @@ class Request
-         }
-
+--- a/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php
++++ b/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Request.php
+@@ -2012,7 +2012,7 @@ class Request
          $pathInfo = substr($requestUri, \strlen($baseUrl));
 -        if (false === $pathInfo || '' === $pathInfo) {
 +        if (false === $pathInfo || '' === $pathInfo || '/' !== $pathInfo[0]) {
@@ -10,6 +8,3 @@
 -            return '/';
 +            return '/'.$pathInfo;
          }
-
-         return $pathInfo;
-