CVE-2026-55736

EPSS 0.15%
Veröffentlicht 23.06.2026 18:21:13
Zuletzt bearbeitet 23.06.2026 19:17:12
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

Private action arguments can be set by user input in Ash

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.

Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.

In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.

An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.

This issue affects ash: from 3.0.0 before 3.29.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerash-project

≫

Produkt ash

Default Statusunaffected

Version 3.0.0

Version < 3.29.3

Status affected

Herstellerash-project

≫

Produkt ash

Default Statusunaffected

Version 5967ed3a483ab949866e6d7b043b043e61703f17

Version < d9b3100219b3ea86d73202bf7368c03a7688efea

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.047

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	5.9	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw

https://cna.erlef.org/cves/CVE-2026-55736.html

https://osv.dev/vulnerability/EEF-CVE-2026-55736

https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea

https://nvd.nist.gov/vuln/detail/CVE-2026-55736

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-55736

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-55736

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-55736