CVE-2026-53911

Source
https://cve.org/CVERecord?id=CVE-2026-53911
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53911.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53911
Published
2026-06-11T09:41:46.124Z
Modified
2026-07-08T08:13:44.786242545Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N CVSS Calculator
Summary
Cerebrate primary key mass assignment in CRUD edit operations allows authenticated users to overwrite unrelated records
Details

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity.

The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "1.37.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53911.json",
    "cwe_ids": [
        "CWE-639"
    ],
    "cna_assigner": "CIRCL"
}
References

Affected packages

Git / github.com/cerebrate-project/cerebrate

Affected ranges

Type
GIT
Repo
https://github.com/cerebrate-project/cerebrate
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.37"
        }
    ]
}

Affected versions

v0.*
v0.1
v0.2
v1.*
v1.28
v1.29
v1.30
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53911.json"