CVE-2026-42205

Published: May 8, 2026Modified: May 12, 2026Deferred

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

https://github.com/avo-hq/avo/releases/tag/v3.31.2

Source: security-advisories@github.com

https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8

Source: security-advisories@github.com

https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.