🔴 《严重安全漏洞:CVE-2026-55518》
CVSS 评分: 严重(9.6) 状态: Received 发布时间: 2026-07-17
漏洞描述
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to 3.32.1 and 4.0.0.beta.51, Avo's association attach workflow checks attach_? in the UI and GET /resources/:resource/:id/:related/new path, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating the association through Avo::AssociationsController#create. An authenticated low-privileged Avo user can bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request, which can lead to privilege escalation and cross-tenant data exposure where associations represent authorization-bearing relationships. This issue is fixed in versions 3.32.1 and 4.0.0.beta.51.
🔍 技术细节
| 字段 |
值 |
| CVE ID |
CVE-2026-55518 |
| CVSS 评分 |
9.6 🔴 |
| 严重程度 |
严重 |
| CVSS 向量 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| CWE 分类 |
CWE-639,CWE-862,CWE-863 |
| 发布时间 |
2026-07-17 |
| 最后更新 |
2026-07-17 |
| 状态 |
Received |
| 数据来源 |
security-advisories@github.com |
🔗 参考链接