CVE Catalog

CVE-2026-53911

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

12th percentile — higher than 12% of all known CVEs

Summary

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. This enabled an authenticated attacker to craft edit requests that could modify unrelated records.

Risk Assessment

The organization may be exposed to unauthorized data modifications by authenticated users, potentially leading to data integrity breaches and financial losses.

Recommendation

It is recommended to upgrade to Cerebrate version 1.37, which implements safeguards by stripping id from request input and globally marking it as inaccessible in the base AppModel entity.

Original NVD description (English source)

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity. The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS