Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions gems/avo/CVE-2026-53769.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
gem: avo
cve: 2026-53769
ghsa: pqpw-cvm4-8mv9
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
title: Direct attachment upload endpoint lacks upload authorization
and bypasses field-level upload policy
date: 2026-06-02
description: |
## Summary

Avo's direct attachment upload endpoint lacks server-side upload
authorization and bypasses the documented field-level upload policy
methods such as upload_{FIELD_ID}?.

An authenticated Avo user who can reach the Avo attachment upload
endpoint can replace or add attachment content, including binary
content, filename, and content-type metadata, on a resolved record
even when both update? and upload_<field>? policies deny the operation.

This primarily affects multi-role Avo Pro/Advanced-style deployments
where non-administrator or restricted operator users can reach Avo
and per-record or per-field operations are expected to be enforced
by policies.
cvss_v3: 6.5
unaffected_versions:
- "< 2.28.0"
patched_versions:
- "~> 3.32.0"
- ">= 4.0.0.beta.41"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-53769
- https://rubygems.org/gems/avo/versions/4.0.0.beta.41
- https://rubygems.org/gems/avo/versions/3.32.0
- https://avohq.io/releases/3.32.0
- https://github.com/avo-hq/avo/security/advisories/GHSA-pqpw-cvm4-8mv9
notes: |
- CVE is reserved, but not published.
- date and cvss_v3 and patched_versions from GHSA URL.
- 4.0.0.beta.41 on 6/2/2026 ; 3.32.0 on 6/2/2026
- Do not see 4.0.0.beta.41 inside GitHub. Nothing before 4.0.6.
- See 4.0.0.beta.41 on Rubygems URL.