EEF-CVE-2026-55736

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-55736.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-55736.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-55736

Aliases

CVE-2026-55736
GHSA-f4hc-ppw9-4hhw

Published

2026-06-23T18:21:13.033Z

Modified

2026-06-23T18:26:32.851161044Z

Severity

5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Private action arguments can be set by user input in Ash

Details

Summary

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.

Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.

In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.

An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.

This issue affects ash: from 3.0.0 before 3.29.3.

Configuration

An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-915"
    ],
    "capec_ids": [
        "CAPEC-77"
    ]
}

References

Credits

- Alfred Vié - FINDER
- Zach Daniel - REMEDIATION_REVIEWER
- Jonatan Männchen / EEF - ANALYST

Affected packages

Hex / ash

Package

Name: ash
Purl: pkg:hex/ash

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.29.3

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.4.10

3.4.11

3.4.12

3.4.13

3.4.14

3.4.15

3.4.16

3.4.17

3.4.18

3.4.19

3.4.20

3.4.21

3.4.22

3.4.23

3.4.24

3.4.25

3.4.26

3.4.27

3.4.28

3.4.29

3.4.30

3.4.31

3.4.32

3.4.33

3.4.34

3.4.35

3.4.36

3.4.37

3.4.38

3.4.39

3.4.40

3.4.41

3.4.42

3.4.43

3.4.44

3.4.45

3.4.46

3.4.47

3.4.48

3.4.49

3.4.50

3.4.51

3.4.52

3.4.53

3.4.54

3.4.55

3.4.56

3.4.57

3.4.58

3.4.59

3.4.60

3.4.61

3.4.62

3.4.63

3.4.64

3.4.65

3.4.66

3.4.67

3.4.68

3.4.69

3.4.70

3.4.71

3.4.72

3.4.73

3.4.74

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.16

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.22

3.5.23

3.5.24

3.5.25

3.5.26

3.5.27

3.5.28

3.5.29

3.5.30

3.5.31

3.5.32

3.5.33

3.5.34

3.5.35

3.5.36

3.5.37

3.5.38

3.5.39

3.5.40

3.5.41

3.5.42

3.5.43

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.8.0

3.9.0

3.10.0

3.10.1

3.11.0

3.11.1

3.11.2

3.11.3

3.12.0

3.13.0

3.13.1

3.13.2

3.14.0

3.14.1

3.15.0

3.16.0

3.17.0

3.17.1

3.18.0

3.19.0

3.19.1

3.19.2

3.19.3

3.20.0

3.21.0

3.21.1

3.21.2

3.21.3

3.22.0

3.22.1

3.22.2

3.23.0

3.23.1

3.24.0

3.24.1

3.24.2

3.24.3

3.24.4

3.24.5

3.24.6

3.24.7

3.25.0

3.25.1

3.25.2

3.26.0

3.27.0

3.27.1

3.27.2

3.27.3

3.27.4

3.27.5

3.27.6

3.27.7

3.27.8

3.28.0

3.29.0

3.29.1

3.29.2

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-55736.json"

Git / github.com/ash-project/ash

Affected ranges

Type: GIT
Repo: https://github.com/ash-project/ash
Events: Introduced

5967ed3a483ab949866e6d7b043b043e61703f17

Fixed

d9b3100219b3ea86d73202bf7368c03a7688efea

Affected versions

3.*

3.0.3

3.4.56

v3.*

v3.0.0-rc.0

v3.0.0-rc.1

v3.0.0-rc.10

v3.0.0-rc.11

v3.0.0-rc.12

v3.0.0-rc.13

v3.0.0-rc.14

v3.0.0-rc.15

v3.0.0-rc.16

v3.0.0-rc.17

v3.0.0-rc.18

v3.0.0-rc.19

v3.0.0-rc.2

v3.0.0-rc.20

v3.0.0-rc.21

v3.0.0-rc.22

v3.0.0-rc.23

v3.0.0-rc.24

v3.0.0-rc.25

v3.0.0-rc.26

v3.0.0-rc.27

v3.0.0-rc.29

v3.0.0-rc.3

v3.0.0-rc.30

v3.0.0-rc.31

v3.0.0-rc.32

v3.0.0-rc.33

v3.0.0-rc.34

v3.0.0-rc.35

v3.0.0-rc.36

v3.0.0-rc.37

v3.0.0-rc.38

v3.0.0-rc.4

v3.0.0-rc.40

v3.0.0-rc.41

v3.0.0-rc.42

v3.0.0-rc.43

v3.0.0-rc.44

v3.0.0-rc.45

v3.0.0-rc.46

v3.0.0-rc.5

v3.0.0-rc.6

v3.0.0-rc.7

v3.0.0-rc.8

v3.0.0-rc.9

v3.0.1

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.1

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.10.0

v3.10.1

v3.11.0

v3.11.1

v3.11.2

v3.11.3

v3.12.0

v3.13.0

v3.13.1

v3.13.2

v3.14.0

v3.14.1

v3.15.0

v3.16.0

v3.17.0

v3.17.1

v3.18.0

v3.19.0

v3.19.1

v3.19.2

v3.19.3

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.20.0

v3.21.0

v3.21.1

v3.21.2

v3.21.3

v3.22.0

v3.22.1

v3.22.2

v3.23.0

v3.23.1

v3.24.0

v3.24.1

v3.24.2

v3.24.3

v3.24.4

v3.24.5

v3.24.6

v3.24.7

v3.25.0

v3.25.1

v3.25.2

v3.26.0

v3.27.0

v3.27.1

v3.27.2

v3.27.3

v3.27.4

v3.27.6

v3.27.7

v3.27.8

v3.28.0

v3.29.0

v3.29.1

v3.29.2

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.1

v3.4.10

v3.4.11

v3.4.12

v3.4.13

v3.4.14

v3.4.15

v3.4.16

v3.4.17

v3.4.18

v3.4.19

v3.4.2

v3.4.20

v3.4.21

v3.4.23

v3.4.24

v3.4.25

v3.4.26

v3.4.27

v3.4.28

v3.4.29

v3.4.3

v3.4.30

v3.4.31

v3.4.32

v3.4.33

v3.4.34

v3.4.35

v3.4.36

v3.4.37

v3.4.38

v3.4.39

v3.4.4

v3.4.40

v3.4.41

v3.4.42

v3.4.43

v3.4.44

v3.4.45

v3.4.46

v3.4.47

v3.4.48

v3.4.5

v3.4.50

v3.4.51

v3.4.53

v3.4.54

v3.4.55

v3.4.56

v3.4.57

v3.4.58

v3.4.59

v3.4.6

v3.4.61

v3.4.62

v3.4.63

v3.4.64

v3.4.65

v3.4.66

v3.4.67

v3.4.68

v3.4.69

v3.4.7

v3.4.70

v3.4.71

v3.4.72

v3.4.73

v3.4.8

v3.4.9

v3.5.1

v3.5.10

v3.5.11

v3.5.12

v3.5.13

v3.5.14

v3.5.15

v3.5.16

v3.5.17

v3.5.18

v3.5.19

v3.5.2

v3.5.21

v3.5.22

v3.5.23

v3.5.24

v3.5.25

v3.5.26

v3.5.27

v3.5.28

v3.5.29

v3.5.3

v3.5.30

v3.5.31

v3.5.32

v3.5.33

v3.5.35

v3.5.36

v3.5.37

v3.5.38

v3.5.39

v3.5.4

v3.5.41

v3.5.42

v3.5.43

v3.5.5

v3.5.6

v3.5.7

v3.5.8

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

v3.8.0

v3.9.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-55736.json"