Skip to content

Commit 54d6a41

Browse files
authored
GHSA/SYNC: 1 new avo advisory (#1126)
1 parent 092d519 commit 54d6a41

1 file changed

Lines changed: 52 additions & 0 deletions

File tree

gems/avo/CVE-2026-55518.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
gem: avo
3+
cve: 2026-55518
4+
ghsa: 8fq9-273g-6mrg
5+
url: https://www.cve.org/CVERecord?id=CVE-2026-55518
6+
title: Avo - Missing Authorization in Avo Association Attach Endpoint
7+
Allows Unauthorized Relationship Manipulation and Privilege Escalation
8+
date: 2026-06-17
9+
description: |
10+
## Summary
11+
12+
A critical missing authorization flaw exists in Avo's association attach
13+
workflow. The UI and `GET /resources/:resource/:id/:related/new` path
14+
can check `attach_<association>?`, but the actual write endpoint,
15+
`POST /resources/:resource/:id/:related`, does not run the same
16+
authorization check before mutating the association.
17+
18+
As a result, an authenticated low-privileged Avo user can bypass
19+
hidden/disabled attach controls and directly attach related records
20+
to a parent record by sending a crafted POST request. In applications
21+
where associations represent teams, tenants, roles, projects, users,
22+
memberships, ownership, or other authorization-bearing relationships,
23+
this can lead to privilege escalation and cross-tenant data exposure.
24+
25+
## Impact
26+
27+
This vulnerability allows unauthorized relationship manipulation
28+
through Avo.
29+
30+
Depending on the affected association, the impact can include:
31+
32+
- Privilege escalation by attaching a user to an admin group,
33+
privileged project, tenant, organization, role, or membership record.
34+
- Cross-tenant data exposure when tenant/user/project membership
35+
determines record visibility.
36+
- Integrity loss by changing ownership, assignment, access-control
37+
relationships, or business workflow state.
38+
- Policy bypass even when Avo UI controls correctly hide the attach
39+
button or deny the attach form.
40+
cvss_v3: 9.6
41+
patched_versions:
42+
- "~> 3.32.1"
43+
- ">= 4.0.0.beta.51"
44+
related:
45+
url:
46+
- https://www.cve.org/CVERecord?id=CVE-2026-55518
47+
- https://advisories.gitlab.com/gem/avo/CVE-2026-55518
48+
- https://github.com/avo-hq/avo/security/advisories/GHSA-8fq9-273g-6mrg
49+
- https://github.com/advisories/GHSA-8fq9-273g-6mrg
50+
notes: |
51+
- cvss_v3 from GHSA, no value for cvss_v2 or cvss_v4
52+
- CVE is reserved, but not published

0 commit comments

Comments
 (0)