{"uuid": "67ca58a5-1e7a-4e92-97e1-70b3a07feeba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49858", "type": "seen", "source": "https://gist.github.com/alon710/a56efdb02fd3817ca2ff1035bbcd74e4", "content": "# CVE-2026-49858: CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers\n\n&gt; **CVSS Score:** 5.9\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49858\n\n## Summary\nCVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.\n\n## TL;DR\nUnsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.\n\n## Technical Details\n\n- **CWE ID**: CWE-524\n- **Attack Vector**: Network (AV:N)\n- **CVSS v3.1**: 5.9 (Medium)\n- **EPSS Score**: 0.00197\n- **Impact**: High Confidentiality Exposure\n- **Exploit Status**: None (No public exploit or PoC)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- API Platform Core\n- api-platform/core\n- api-platform/hal\n- api-platform/json-api\n- **api-platform/core**: &gt;= 4.1.0, &lt; 4.1.29 (Fixed in: `4.1.29`)\n- **api-platform/core**: &gt;= 4.2.0, &lt; 4.2.26 (Fixed in: `4.2.26`)\n- **api-platform/core**: &gt;= 4.3.0, &lt; 4.3.12 (Fixed in: `4.3.12`)\n\n## Mitigation\n\n- Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.\n- Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.\n- Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.\n\n**Remediation Steps:**\n1. Run 'composer update api-platform/core' to pull the latest security patch.\n2. Verify the installed version of API Platform Core using 'composer show api-platform/core'.\n3. Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.\n\n## References\n\n- [GHSA-pjhx-3c3w-9v23 Security Advisory](https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23)\n- [CVE-2026-49858 authoritative CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-49858)\n- [NVD - CVE-2026-49858 Detailed Report](https://nvd.nist.gov/vuln/detail/CVE-2026-49858)\n- [Fix Git Commit for ItemNormalizers Cache Key Gating](https://github.com/api-platform/core/commit/019fd901225a969b1903e093a1773f26ee551dfc)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49858) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T15:41:54.376580Z"}