|
| 1 | +--- |
| 2 | +gem: avo |
| 3 | +cve: 2026-55518 |
| 4 | +ghsa: 8fq9-273g-6mrg |
| 5 | +url: https://www.cve.org/CVERecord?id=CVE-2026-55518 |
| 6 | +title: Avo - Missing Authorization in Avo Association Attach Endpoint |
| 7 | + Allows Unauthorized Relationship Manipulation and Privilege Escalation |
| 8 | +date: 2026-06-17 |
| 9 | +description: | |
| 10 | + ## Summary |
| 11 | +
|
| 12 | + A critical missing authorization flaw exists in Avo's association attach |
| 13 | + workflow. The UI and `GET /resources/:resource/:id/:related/new` path |
| 14 | + can check `attach_<association>?`, but the actual write endpoint, |
| 15 | + `POST /resources/:resource/:id/:related`, does not run the same |
| 16 | + authorization check before mutating the association. |
| 17 | +
|
| 18 | + As a result, an authenticated low-privileged Avo user can bypass |
| 19 | + hidden/disabled attach controls and directly attach related records |
| 20 | + to a parent record by sending a crafted POST request. In applications |
| 21 | + where associations represent teams, tenants, roles, projects, users, |
| 22 | + memberships, ownership, or other authorization-bearing relationships, |
| 23 | + this can lead to privilege escalation and cross-tenant data exposure. |
| 24 | +
|
| 25 | + ## Impact |
| 26 | +
|
| 27 | + This vulnerability allows unauthorized relationship manipulation |
| 28 | + through Avo. |
| 29 | +
|
| 30 | + Depending on the affected association, the impact can include: |
| 31 | +
|
| 32 | + - Privilege escalation by attaching a user to an admin group, |
| 33 | + privileged project, tenant, organization, role, or membership record. |
| 34 | + - Cross-tenant data exposure when tenant/user/project membership |
| 35 | + determines record visibility. |
| 36 | + - Integrity loss by changing ownership, assignment, access-control |
| 37 | + relationships, or business workflow state. |
| 38 | + - Policy bypass even when Avo UI controls correctly hide the attach |
| 39 | + button or deny the attach form. |
| 40 | +cvss_v3: 9.6 |
| 41 | +patched_versions: |
| 42 | + - "~> 3.32.1" |
| 43 | + - ">= 4.0.0.beta.51" |
| 44 | +related: |
| 45 | + url: |
| 46 | + - https://www.cve.org/CVERecord?id=CVE-2026-55518 |
| 47 | + - https://advisories.gitlab.com/gem/avo/CVE-2026-55518 |
| 48 | + - https://github.com/avo-hq/avo/security/advisories/GHSA-8fq9-273g-6mrg |
| 49 | + - https://github.com/advisories/GHSA-8fq9-273g-6mrg |
| 50 | +notes: | |
| 51 | + - cvss_v3 from GHSA, no value for cvss_v2 or cvss_v4 |
| 52 | + - CVE is reserved, but not published |
0 commit comments