Skip to content

Commit 08f701f

Browse files
committed
One new avo advisory
1 parent 6471a8b commit 08f701f

1 file changed

Lines changed: 43 additions & 0 deletions

File tree

gems/avo/CVE-2026-53769.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
---
2+
gem: avo
3+
cve: 2026-53769
4+
ghsa: pqpw-cvm4-8mv9
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
6+
title: Direct attachment upload endpoint lacks upload authorization
7+
and bypasses field-level upload policy
8+
date: 2026-06-02
9+
description: |
10+
## Summary
11+
12+
Avo's direct attachment upload endpoint lacks server-side upload
13+
authorization and bypasses the documented field-level upload policy
14+
methods such as upload_{FIELD_ID}?.
15+
16+
An authenticated Avo user who can reach the Avo attachment upload
17+
endpoint can replace or add attachment content, including binary
18+
content, filename, and content-type metadata, on a resolved record
19+
even when both update? and upload_<field>? policies deny the operation.
20+
21+
This primarily affects multi-role Avo Pro/Advanced-style deployments
22+
where non-administrator or restricted operator users can reach Avo
23+
and per-record or per-field operations are expected to be enforced
24+
by policies.
25+
cvss_v3: 6.5
26+
unaffected_versions:
27+
- "< 2.28.0"
28+
patched_versions:
29+
- "~> 3.32.0"
30+
- ">= 4.0.0.beta.41"
31+
related:
32+
url:
33+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
34+
- https://rubygems.org/gems/avo/versions/4.0.0.beta.41
35+
- https://rubygems.org/gems/avo/versions/3.32.0
36+
- https://avohq.io/releases/3.32.0
37+
- https://github.com/avo-hq/avo/security/advisories/GHSA-pqpw-cvm4-8mv9
38+
notes: |
39+
- CVE is reserved, but not published.
40+
- date and cvss_v3 and patched_versions from GHSA URL.
41+
- 4.0.0.beta.41 on 6/2/2026 ; 3.32.0 on 6/2/2026
42+
- Do not see 4.0.0.beta.41 inside GitHub. Nothing before 4.0.6.
43+
- See 4.0.0.beta.41 on Rubygems URL.

0 commit comments

Comments
 (0)