CVE-2026-53911— Cerebrate 安全漏洞

Cerebrate primary key mass assignment in CRUD edit operations allows authenticated users to overwrite unrelated records

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity. The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.

N/A

通过用户控制密钥绕过授权机制

Cerebrate 安全漏洞

Cerebrate是Cerebrate开源的一个开源平台。旨在充当受信任的联系信息提供者和其他安全工具的互连协调器。 Cerebrate 1.37之前版本存在安全漏洞，该漏洞源于CRUD编辑操作和某些自定义实体修补流程中允许通过请求输入提供id主键字段。在未明确将id标记为不可访问的受影响实体中，经过身份验证的攻击者可以提交包含另一个记录id的特制编辑请求，导致保存操作更新该无关记录而非路由参数标识的记录。该问题影响多个继承宽松批量赋值默认值的实体类型，包括User、Role、UserSetting、Lo

N/A

N/A