From e7e7301860215b57e457695134b8831951617b20 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Thu, 18 Jun 2026 09:29:18 -0400 Subject: [PATCH] GHSA/SYNC: 1 new avo advisory --- gems/avo/CVE-2026-55518.yml | 52 +++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 gems/avo/CVE-2026-55518.yml diff --git a/gems/avo/CVE-2026-55518.yml b/gems/avo/CVE-2026-55518.yml new file mode 100644 index 0000000000..43802e88dc --- /dev/null +++ b/gems/avo/CVE-2026-55518.yml @@ -0,0 +1,52 @@ +--- +gem: avo +cve: 2026-55518 +ghsa: 8fq9-273g-6mrg +url: https://www.cve.org/CVERecord?id=CVE-2026-55518 +title: Avo - Missing Authorization in Avo Association Attach Endpoint + Allows Unauthorized Relationship Manipulation and Privilege Escalation +date: 2026-06-17 +description: | + ## Summary + + A critical missing authorization flaw exists in Avo's association attach + workflow. The UI and `GET /resources/:resource/:id/:related/new` path + can check `attach_?`, but the actual write endpoint, + `POST /resources/:resource/:id/:related`, does not run the same + authorization check before mutating the association. + + As a result, an authenticated low-privileged Avo user can bypass + hidden/disabled attach controls and directly attach related records + to a parent record by sending a crafted POST request. In applications + where associations represent teams, tenants, roles, projects, users, + memberships, ownership, or other authorization-bearing relationships, + this can lead to privilege escalation and cross-tenant data exposure. + + ## Impact + + This vulnerability allows unauthorized relationship manipulation + through Avo. + + Depending on the affected association, the impact can include: + + - Privilege escalation by attaching a user to an admin group, + privileged project, tenant, organization, role, or membership record. + - Cross-tenant data exposure when tenant/user/project membership + determines record visibility. + - Integrity loss by changing ownership, assignment, access-control + relationships, or business workflow state. + - Policy bypass even when Avo UI controls correctly hide the attach + button or deny the attach form. +cvss_v3: 9.6 +patched_versions: + - "~> 3.32.1" + - ">= 4.0.0.beta.51" +related: + url: + - https://www.cve.org/CVERecord?id=CVE-2026-55518 + - https://advisories.gitlab.com/gem/avo/CVE-2026-55518 + - https://github.com/avo-hq/avo/security/advisories/GHSA-8fq9-273g-6mrg + - https://github.com/advisories/GHSA-8fq9-273g-6mrg +notes: | + - cvss_v3 from GHSA, no value for cvss_v2 or cvss_v4 + - CVE is reserved, but not published