Vulnerability-Lookup

CVE-2026-42205 (GCVE-0-2026-42205)

Vulnerability from cvelistv5 – Published: 2026-05-08 21:26 – Updated: 2026-05-08 21:26

Title

Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-284 - Improper Access Control
CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/avo-hq/avo/security/advisories…	x_refsource_CONFIRM
	https://github.com/avo-hq/avo/releases/tag/v3.31.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	avo-hq	avo	Affected: < 3.31.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "avo",
          "vendor": "avo-hq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.31.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T21:26:44.743Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8"
        },
        {
          "name": "https://github.com/avo-hq/avo/releases/tag/v3.31.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/avo-hq/avo/releases/tag/v3.31.2"
        }
      ],
      "source": {
        "advisory": "GHSA-qc5p-3mg5-9fh8",
        "discovery": "UNKNOWN"
      },
      "title": "Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42205",
    "datePublished": "2026-05-08T21:26:44.743Z",
    "dateReserved": "2026-04-25T05:04:37.027Z",
    "dateUpdated": "2026-05-08T21:26:44.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42205\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T22:16:31.820\",\"lastModified\":\"2026-05-08T22:16:31.820\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://github.com/avo-hq/avo/releases/tag/v3.31.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-QC5P-3MG5-9FH8

Vulnerability from github – Published: 2026-04-24 16:11 – Updated: 2026-05-04 20:43

Summary

Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Details

Summary

A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.

Details

The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.

Vulnerable Code

def action_class
  # It searches through ALL descendants of BaseAction without resource validation
  Avo::BaseAction.descendants.find do |action|
    action.to_s == params[:action_id]
  end
end

The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).

Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.

Impact

This flaw results in significant security risks:

Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.

Proof of Concept (PoC)

Steps to Reproduce:

Log in to the Avo admin panel with limited permissions.
Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., Avo::Actions::ToggleAdmin).
Send a POST request to a resource endpoint where the target action is not registered:
- URL: POST /admin/resources/posts/actions
- Payload: action_id=Avo::Actions::ToggleAdmin&fields[avo_resource_ids]=1
The server executes the ToggleAdmin logic on User 1, even though the request was made through the posts resource context.

PoC Script Snippet:

# Simulating the unauthorized action execution
data = {
    'action_id': 'Avo::Actions::ToggleAdmin',
    'fields[avo_resource_ids]': '1', # Target Record ID
    'authenticity_token': csrf_token
}
response = session.post(f"{BASE_URL}/admin/resources/posts/actions", data=data)

Remediation

Restrict the action lookup to only those actions explicitly registered for the current resource context:

def action_class
  # Validate that the action is registered for the current resource
  @resource.get_actions.find do |action|
    action.to_s == params[:action_id]
  end
end

Discoverer

Illunight

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "avo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:11:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.\n\n### Details\n\nThe vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`.\n\n#### Vulnerable Code\n\n```ruby\ndef action_class\n  # It searches through ALL descendants of BaseAction without resource validation\n  Avo::BaseAction.descendants.find do |action|\n    action.to_s == params[:action_id]\n  end\nend\n```\n\nThe controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`).\n\nConsequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping.\n\n### Impact\n\nThis flaw results in significant security risks:\n\n- **Privilege Escalation:** An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others\u0027 permissions.\n- **Unauthorized Operations:** Actions designed for restricted resources can be triggered against any record ID in the database.\n- **Data Integrity Compromise:** Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.\n\n### Proof of Concept (PoC)\n\n**Steps to Reproduce:**\n\n01. Log in to the Avo admin panel with limited permissions.\n02. Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., `Avo::Actions::ToggleAdmin`).\n03. Send a POST request to a resource endpoint where the target action is not registered:\n    - **URL:** `POST /admin/resources/posts/actions`\n    - **Payload:** `action_id=Avo::Actions::ToggleAdmin\u0026fields[avo_resource_ids]=1`\n04. The server executes the `ToggleAdmin` logic on User 1, even though the request was made through the `posts` resource context.\n\n**PoC Script Snippet:**\n\n```python\n# Simulating the unauthorized action execution\ndata = {\n    \u0027action_id\u0027: \u0027Avo::Actions::ToggleAdmin\u0027,\n    \u0027fields[avo_resource_ids]\u0027: \u00271\u0027, # Target Record ID\n    \u0027authenticity_token\u0027: csrf_token\n}\nresponse = session.post(f\"{BASE_URL}/admin/resources/posts/actions\", data=data)\n```\n\n### Remediation\n\nRestrict the action lookup to only those actions explicitly registered for the current resource context:\n\n```ruby\ndef action_class\n  # Validate that the action is registered for the current resource\n  @resource.get_actions.find do |action|\n    action.to_s == params[:action_id]\n  end\nend\n```\n\n### Discoverer\n\nIllunight",
  "id": "GHSA-qc5p-3mg5-9fh8",
  "modified": "2026-05-04T20:43:06Z",
  "published": "2026-04-24T16:11:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/avo-hq/avo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42205 (GCVE-0-2026-42205)

GHSA-QC5P-3MG5-9FH8

Summary

Details

Vulnerable Code

Impact

Proof of Concept (PoC)

Remediation

Discoverer

Tags

Sightings

Nomenclature