CVE-2026-57954

Source
https://cve.org/CVERecord?id=CVE-2026-57954
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57954.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57954
Published
2026-06-29T17:21:55.510Z
Modified
2026-07-15T01:49:01.313962765Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Elide 7.1.17 - Permission Bypass in Sort Expression Validation
Details

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Database specific
{
    "cna_assigner": "VulnCheck",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57954.json",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/yahoo/elide

Affected ranges

Type
GIT
Repo
https://github.com/yahoo/elide
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.17"
        },
        {
            "fixed": "7.1.17"
        }
    ]
}

Affected versions

1.*
1.0.0.10
1.0.0.11
1.0.0.12
1.0.0.13
1.0.0.14
1.0.0.15
1.0.0.16
1.0.0.17
1.0.0.18
1.0.0.19
1.0.0.20
1.0.0.21
1.0.0.22
1.0.0.23
1.0.0.24
1.0.0.25
1.0.0.4
1.0.0.5
1.0.0.6
1.0.0.7
1.0.0.8
1.0.0.9
2.*
2.0.0
2.0.1
2.0.10
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.10
2.3.11
2.3.12
2.3.13
2.3.14
2.3.15
2.3.16
2.3.17
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.11
2.4.12
2.4.13
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2
3.*
3.0.0
3.0.1
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
4.*
4.0-beta-1
4.0-beta-2
4.0-beta-3
4.0-beta-4
4.0-beta-5
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
4.2.1
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.3.0
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5.0
4.5.1
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
5.*
5.0.0
5.0.0-pr30
5.0.0-pr31
5.0.0-pr32
5.0.0-pr33
5.0.0-pr34
5.0.1
5.0.10
5.0.11
5.0.12
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
6.*
6.0.0
6.0.0-pr1
6.0.0-pr2
6.0.0-pr3
6.0.0-pr4
6.0.0-pr5
6.0.0-pr6
6.0.0-pr7
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.1.0
6.1.1
6.1.10
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
7.*
7.0.0
7.0.0-pr3
7.0.0-pr4
7.0.0-pr5
7.0.0-pr6
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.1.0
7.1.1
7.1.10
7.1.11
7.1.12
7.1.13
7.1.14
7.1.15
7.1.16
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
7.1.7
7.1.8
7.1.9
elide-parent-pom-1.*
elide-parent-pom-1.0.0.0
elide-parent-pom-1.0.0.1
elide-parent-pom-1.0.0.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57954.json"