|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2026-53769 (avo): Direct attachment upload endpoint lacks upload authorization |
| 4 | + and bypasses field-level upload policy' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- avo |
| 8 | +advisory: |
| 9 | + gem: avo |
| 10 | + cve: 2026-53769 |
| 11 | + ghsa: pqpw-cvm4-8mv9 |
| 12 | + url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769 |
| 13 | + title: Direct attachment upload endpoint lacks upload authorization and bypasses |
| 14 | + field-level upload policy |
| 15 | + date: 2026-06-02 |
| 16 | + description: |- |
| 17 | + ## Summary |
| 18 | +
|
| 19 | + Avo's direct attachment upload endpoint lacks server-side upload |
| 20 | + authorization and bypasses the documented field-level upload policy |
| 21 | + methods such as upload_{FIELD_ID}?. |
| 22 | +
|
| 23 | + An authenticated Avo user who can reach the Avo attachment upload |
| 24 | + endpoint can replace or add attachment content, including binary |
| 25 | + content, filename, and content-type metadata, on a resolved record |
| 26 | + even when both update? and upload_<field>? policies deny the operation. |
| 27 | +
|
| 28 | + This primarily affects multi-role Avo Pro/Advanced-style deployments |
| 29 | + where non-administrator or restricted operator users can reach Avo |
| 30 | + and per-record or per-field operations are expected to be enforced |
| 31 | + by policies. |
| 32 | + cvss_v3: 6.5 |
| 33 | + unaffected_versions: |
| 34 | + - "< 2.28.0" |
| 35 | + patched_versions: |
| 36 | + - "~> 3.32.0" |
| 37 | + - ">= 4.0.0.beta.41" |
| 38 | + related: |
| 39 | + url: |
| 40 | + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769 |
| 41 | + - https://rubygems.org/gems/avo/versions/4.0.0.beta.41 |
| 42 | + - https://rubygems.org/gems/avo/versions/3.32.0 - https://avohq.io/releases/3.32.0 |
| 43 | + - https://github.com/avo-hq/avo/security/advisories/GHSA-pqpw-cvm4-8mv9 |
| 44 | + notes: | |
| 45 | + - CVE is reserved, but not published. |
| 46 | + - date and cvss_v3 and patched_versions from GHSA URL. |
| 47 | + - 4.0.0.beta.41 on 6/2/2026 ; 3.32.0 on 6/2/2026 |
| 48 | + - Do not see 4.0.0.beta.41 inside GitHub. Nothing before 4.0.6. |
| 49 | + - See 4.0.0.beta.41 on Rubygems URL. |
| 50 | +--- |
0 commit comments