Skip to content

API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

Moderate severity GitHub Reviewed Published Jun 4, 2026 in api-platform/core • Updated Jul 10, 2026

Package

composer api-platform/core (Composer)

Affected versions

>= 2.6.0, < 4.1.29
>= 4.2.0, < 4.2.25
>= 4.3.0, < 4.3.8

Patched versions

4.1.29
4.2.25
4.3.8
composer api-platform/hal (Composer)
>= 4.0.0, < 4.1.29
>= 4.2.0, < 4.2.25
>= 4.3.0, < 4.3.8
4.1.29
4.2.25
4.3.8
composer api-platform/json-api (Composer)
>= 4.0.0, < 4.1.29
>= 4.2.0, < 4.2.25
>= 4.3.0, < 4.3.8
4.1.29
4.2.25
4.3.8

Description

Impact

#[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them.

This is the same vulnerability class as GHSA-428q-q3vv-3fq3 / CVE-2025-31485, which fixed only the GraphQL ItemNormalizer. The JSON:API and HAL paths were not addressed at the time.

Exploitation conditions

Exploitation requires all of the following to coincide:

  • The application exposes a resource via the JSON:API and/or HAL formats.
  • At least one property of that resource uses #[ApiProperty(security: ...)] with a predicate whose result depends on the current user (or on per-request state).
  • A request from a user for whom the predicate evaluates to true populates componentsCache before a request from a user for whom the predicate evaluates to false, within the lifetime of the same PHP process.
  • The deployment uses a long-running PHP runtime that keeps the normalizer instance alive across requests (FrankenPHP worker mode, RoadRunner, Swoole, ReactPHP, etc.). With classic php-fpm workers the cache only survives the duration of a single request, which makes the issue much harder to observe in practice.

Patches

  • 4.1.29
  • 4.2.25
  • 4.3.8

All three branches receive patched releases of api-platform/core, api-platform/json-api, and api-platform/hal.

Workarounds

Override the JSON:API and HAL ItemNormalizer services to gate $context['cache_key'] with a resource-class security check, or avoid #[ApiProperty(security: ...)] on resources served as JSON:API or HAL until the patch is applied. Pinning the deployment to classic php-fpm workers also limits exposure since the cache does not survive across requests.

Credits

  • Tillmann Baumgart (@tillmon) — originally identified the broader cache-key gap and proposed moving isCacheKeySafe to AbstractItemNormalizer.
  • Antoine Bluchet (@soyuka) — extended the gate to JSON:API and HAL normalizers.

References

@soyuka soyuka published to api-platform/core Jun 4, 2026
Published by the National Vulnerability Database Jul 1, 2026
Published to the GitHub Advisory Database Jul 10, 2026
Reviewed Jul 10, 2026
Last updated Jul 10, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(10th percentile)

Weaknesses

Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Learn more on MITRE.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. Learn more on MITRE.

CVE ID

CVE-2026-49858

GHSA ID

GHSA-pjhx-3c3w-9v23

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.