-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-42205.yml
More file actions
71 lines (59 loc) · 2.48 KB
/
Copy pathCVE-2026-42205.yml
File metadata and controls
71 lines (59 loc) · 2.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
---
gem: avo
cve: 2026-42205
ghsa: qc5p-3mg5-9fh8
url: https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
title: Broken Access Control Through Unauthorized Execution of Arbitrary
Action Classes Across Resources
date: 2026-04-24
description: |
### Summary
A critical Broken Access Control vulnerability was identified in the
`ActionsController` of the Avo framework (v3.x). Due to insecure
action lookup logic, an authenticated user can execute any Action
class (descendants of `Avo::BaseAction`) on any resource, even if
the action is not registered for that specific resource. This leads
to Privilege Escalation and unauthorized data manipulation across
the entire application.
### Details
The vulnerability exists in the `action_class` method within
`app/controllers/avo/actions_controller.rb`.
#### Vulnerable Code
```ruby
def action_class
# It searches through ALL descendants of BaseAction without
# resource validation.
Avo::BaseAction.descendants.find do |action|
action.to_s == params[:action_id]
end
end
```
The controller identifies the action class to execute solely based
on the `params[:action_id]` by searching through all `BaseAction`
descendants. It fails to verify whether the requested action is
actually permitted or registered for the resource context specified
in the request URL (e.g., `/admin/resources/posts/actions`).
Consequently, an attacker can invoke sensitive actions (e.g.,
`Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint
(e.g., `Post`), bypassing the intended resource-action mapping.
### Impact
This flaw results in significant security risks:
- **Privilege Escalation:** An authenticated user with low privileges
can execute administrative actions (like toggling admin roles) to
escalate their own or others' permissions.
- **Unauthorized Operations:** Actions designed for restricted
resources can be triggered against any record ID in the database.
- **Data Integrity Compromise:** Attackers can perform unauthorized
destructive operations (e.g., Delete, Archive, or Update) on records
they should not have access to.
### CREDIT
Illunight
cvss_v3: 8.8
patched_versions:
- ">= 3.31.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-42205
- https://github.com/avo-hq/avo/releases/tag/v3.31.1
- https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
- https://github.com/advisories/GHSA-qc5p-3mg5-9fh8