CVE-2026-54164
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
Vulnerability in API Platform Core before versions 4.1.30, 4.2.26 and 4.3.12 allows an attacker to substitute resource types in IRI relations. Missing type validation in AbstractItemNormalizer enables assigning an object of an unintended type to a relation property.
Risk Assessment
An attacker can submit POST/PUT/PATCH requests with an IRI pointing to a resource of a different type, leading to data integrity corruption and potential exploitation of downstream logic assuming the declared type.
Recommendation
Immediately upgrade API Platform Core to version 4.1.30, 4.2.26 or 4.3.12 depending on your branch. After upgrade, verify relation behavior in your API.
Original NVD description (English source)
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.

