Skip to content

Commit 2e962aa

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@2a0988f
1 parent d5f9c05 commit 2e962aa

1 file changed

Lines changed: 50 additions & 0 deletions

File tree

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-53769 (avo): Direct attachment upload endpoint lacks upload authorization
4+
and bypasses field-level upload policy'
5+
comments: false
6+
categories:
7+
- avo
8+
advisory:
9+
gem: avo
10+
cve: 2026-53769
11+
ghsa: pqpw-cvm4-8mv9
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
13+
title: Direct attachment upload endpoint lacks upload authorization and bypasses
14+
field-level upload policy
15+
date: 2026-06-02
16+
description: |-
17+
## Summary
18+
19+
Avo's direct attachment upload endpoint lacks server-side upload
20+
authorization and bypasses the documented field-level upload policy
21+
methods such as upload_{FIELD_ID}?.
22+
23+
An authenticated Avo user who can reach the Avo attachment upload
24+
endpoint can replace or add attachment content, including binary
25+
content, filename, and content-type metadata, on a resolved record
26+
even when both update? and upload_<field>? policies deny the operation.
27+
28+
This primarily affects multi-role Avo Pro/Advanced-style deployments
29+
where non-administrator or restricted operator users can reach Avo
30+
and per-record or per-field operations are expected to be enforced
31+
by policies.
32+
cvss_v3: 6.5
33+
unaffected_versions:
34+
- "< 2.28.0"
35+
patched_versions:
36+
- "~> 3.32.0"
37+
- ">= 4.0.0.beta.41"
38+
related:
39+
url:
40+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
41+
- https://rubygems.org/gems/avo/versions/4.0.0.beta.41
42+
- https://rubygems.org/gems/avo/versions/3.32.0 - https://avohq.io/releases/3.32.0
43+
- https://github.com/avo-hq/avo/security/advisories/GHSA-pqpw-cvm4-8mv9
44+
notes: |
45+
- CVE is reserved, but not published.
46+
- date and cvss_v3 and patched_versions from GHSA URL.
47+
- 4.0.0.beta.41 on 6/2/2026 ; 3.32.0 on 6/2/2026
48+
- Do not see 4.0.0.beta.41 inside GitHub. Nothing before 4.0.6.
49+
- See 4.0.0.beta.41 on Rubygems URL.
50+
---

0 commit comments

Comments
 (0)