Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for ash by ash-project

    CVE-2026-55736 (GCVE-0-2026-55736)

    Vulnerability from nvd – Published: 2026-06-23 18:21 – Updated: 2026-06-23 18:21
    VLAI
    Title
    Private action arguments can be set by user input in Ash
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 3.0.0 , < 3.29.3 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 5967ed3a483ab949866e6d7b043b043e61703f17 , < d9b3100219b3ea86d73202bf7368c03a7688efea (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alfred Vié Zach Daniel Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Ash.Changeset\u0027"
              ],
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/changeset/changeset.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.29.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Ash.Changeset\u0027"
              ],
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/changeset/changeset.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "d9b3100219b3ea86d73202bf7368c03a7688efea",
                  "status": "affected",
                  "version": "5967ed3a483ab949866e6d7b043b043e61703f17",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn action must declare a private argument (one defined with \u003ctt\u003epublic?: false\u003c/tt\u003e) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into \u003ctt\u003eAsh.Changeset.for_create/3\u003c/tt\u003e, \u003ctt\u003efor_update/3\u003c/tt\u003e, \u003ctt\u003efor_destroy/3\u003c/tt\u003e, or into an atomic or bulk update.\u003c/p\u003e"
                }
              ],
              "value": "An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.29.3",
                      "versionStartIncluding": "3.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alfred Vi\u00e9"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\u003cp\u003eAction arguments declared with \u003ctt\u003epublic?: false\u003c/tt\u003e are meant to be set internally (for example via \u003ctt\u003eAsh.Changeset.set_private_argument/3\u003c/tt\u003e) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\u003c/p\u003e\u003cp\u003eIn the regular changeset path (\u003ctt\u003efor_create\u003c/tt\u003e, \u003ctt\u003efor_update\u003c/tt\u003e, \u003ctt\u003efor_destroy\u003c/tt\u003e), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (\u003ctt\u003eAsh.Changeset.fully_atomic_changeset/4\u003c/tt\u003e, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\u003c/p\u003e\u003cp\u003eAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an \u003ctt\u003eacting_user_id\u003c/tt\u003e driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from 3.0.0 before 3.29.3.\u003c/p\u003e"
                }
              ],
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\n\nAction arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\n\nIn the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\n\nAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\n\nThis issue affects ash: from 3.0.0 before 3.29.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T18:21:13.033Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-55736.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55736"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Private action arguments can be set by user input in Ash",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-55736",
        "datePublished": "2026-06-23T18:21:13.033Z",
        "dateReserved": "2026-06-17T10:44:34.365Z",
        "dateUpdated": "2026-06-23T18:21:13.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34593 (GCVE-0-2026-34593)

    Vulnerability from nvd – Published: 2026-04-02 17:42 – Updated: 2026-04-03 13:04
    VLAI
    Title
    Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
    Summary
    Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    ash-project ash Affected: < 3.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34593",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T13:04:06.237768Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T13:04:09.413Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T17:42:26.459Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"
            },
            {
              "name": "https://github.com/ash-project/ash/releases/tag/v3.22.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"
            }
          ],
          "source": {
            "advisory": "GHSA-jjf9-w5vj-r6vp",
            "discovery": "UNKNOWN"
          },
          "title": "Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34593",
        "datePublished": "2026-04-02T17:42:26.459Z",
        "dateReserved": "2026-03-30T17:15:52.499Z",
        "dateUpdated": "2026-04-03T13:04:09.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48044 (GCVE-0-2025-48044)

    Vulnerability from nvd – Published: 2025-10-17 13:52 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Authorization bypass when bypass policy condition evaluates to true
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 3.6.3 , < 3.7.1 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 , < 8b83efa225f657bfc3656ad8ee8485f9b2de923d (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jechol Lee Jechol Lee Jonatan Männchen / EEF Zach Daniel
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48044",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T18:42:50.579615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T13:59:25.673Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/policy.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.7.1",
                  "status": "affected",
                  "version": "3.6.3",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/policy.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d",
                  "status": "affected",
                  "version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.1",
                      "versionStartIncluding": "3.6.3",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jechol Lee"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jechol Lee"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/policy.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Policy\u0027:expression/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines \u0027Elixir.Ash.Policy.Policy\u0027:expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:21.571Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48044.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization bypass when bypass policy condition evaluates to true",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48044",
        "datePublished": "2025-10-17T13:52:53.644Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:21.571Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48043 (GCVE-0-2025-48043)

    Vulnerability from nvd – Published: 2025-10-10 15:57 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 0 , < 3.6.2 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 0 , < 66d81300065b970da0d2f4528354835d2418c7ae (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zach Daniel Jonatan Männchen / EEF Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48043",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-10T16:33:21.270063Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-10T16:45:42.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/authorizer/authorizer.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/authorizer/authorizer.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "66d81300065b970da0d2f4528354835d2418c7ae",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.6.2",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/authorizer/authorizer.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines \u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:17.241Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48043.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48043",
        "datePublished": "2025-10-10T15:57:29.225Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:17.241Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48042 (GCVE-0-2025-48042)

    Vulnerability from nvd – Published: 2025-09-07 16:01 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Before action hooks may execute in certain scenarios despite a request being forbidden
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 0 , < 3.5.39 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 0 , < 5d1b6a5d00771fd468a509778637527b5218be9a (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zach Daniel Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48042",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:54:54.599381Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:55:11.399Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/actions/create/bulk.ex",
                "lib/ash/actions/destroy/bulk.ex",
                "lib/ash/actions/update/bulk.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.5.39",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/actions/create/bulk.ex",
                "lib/ash/actions/destroy/bulk.ex",
                "lib/ash/actions/update/bulk.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "5d1b6a5d00771fd468a509778637527b5218be9a",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.5.39",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/actions/create/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/destroy/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/update/bulk.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines \u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5, \u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6, \u0027Elixir.Ash.Actions.Update.Bulk:run\u0027/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:15.857Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48042.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Before action hooks may execute in certain scenarios despite a request being forbidden",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48042",
        "datePublished": "2025-09-07T16:01:01.470Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:15.857Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55736 (GCVE-0-2026-55736)

    Vulnerability from cvelistv5 – Published: 2026-06-23 18:21 – Updated: 2026-06-23 18:21
    VLAI
    Title
    Private action arguments can be set by user input in Ash
    Summary
    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.
    CWE
    • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 3.0.0 , < 3.29.3 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 5967ed3a483ab949866e6d7b043b043e61703f17 , < d9b3100219b3ea86d73202bf7368c03a7688efea (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Alfred Vié Zach Daniel Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Ash.Changeset\u0027"
              ],
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/changeset/changeset.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.29.3",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Ash.Changeset\u0027"
              ],
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/changeset/changeset.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
                },
                {
                  "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "d9b3100219b3ea86d73202bf7368c03a7688efea",
                  "status": "affected",
                  "version": "5967ed3a483ab949866e6d7b043b043e61703f17",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn action must declare a private argument (one defined with \u003ctt\u003epublic?: false\u003c/tt\u003e) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into \u003ctt\u003eAsh.Changeset.for_create/3\u003c/tt\u003e, \u003ctt\u003efor_update/3\u003c/tt\u003e, \u003ctt\u003efor_destroy/3\u003c/tt\u003e, or into an atomic or bulk update.\u003c/p\u003e"
                }
              ],
              "value": "An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.29.3",
                      "versionStartIncluding": "3.0.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alfred Vi\u00e9"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\u003cp\u003eAction arguments declared with \u003ctt\u003epublic?: false\u003c/tt\u003e are meant to be set internally (for example via \u003ctt\u003eAsh.Changeset.set_private_argument/3\u003c/tt\u003e) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\u003c/p\u003e\u003cp\u003eIn the regular changeset path (\u003ctt\u003efor_create\u003c/tt\u003e, \u003ctt\u003efor_update\u003c/tt\u003e, \u003ctt\u003efor_destroy\u003c/tt\u003e), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (\u003ctt\u003eAsh.Changeset.fully_atomic_changeset/4\u003c/tt\u003e, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\u003c/p\u003e\u003cp\u003eAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an \u003ctt\u003eacting_user_id\u003c/tt\u003e driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from 3.0.0 before 3.29.3.\u003c/p\u003e"
                }
              ],
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\n\nAction arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\n\nIn the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\n\nAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\n\nThis issue affects ash: from 3.0.0 before 3.29.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-77",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-77 Manipulating User-Controlled Variables"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-915",
                  "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-23T18:21:13.033Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-55736.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55736"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Private action arguments can be set by user input in Ash",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-55736",
        "datePublished": "2026-06-23T18:21:13.033Z",
        "dateReserved": "2026-06-17T10:44:34.365Z",
        "dateUpdated": "2026-06-23T18:21:13.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34593 (GCVE-0-2026-34593)

    Vulnerability from cvelistv5 – Published: 2026-04-02 17:42 – Updated: 2026-04-03 13:04
    VLAI
    Title
    Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
    Summary
    Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    ash-project ash Affected: < 3.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34593",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T13:04:06.237768Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T13:04:09.413Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Ash Framework is a declarative, extensible framework for building Elixir applications. Prior to version 3.22.0, Ash.Type.Module.cast_input/2 unconditionally creates a new Erlang atom via Module.concat([value]) for any user-supplied binary string that starts with \"Elixir.\", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has a hard default limit of approximately 1,048,576 entries, an attacker who can submit values to any resource attribute or argument of type :module can exhaust this table and crash the entire BEAM VM, taking down the application. This issue has been patched in version 3.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T17:42:26.459Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jjf9-w5vj-r6vp"
            },
            {
              "name": "https://github.com/ash-project/ash/releases/tag/v3.22.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ash-project/ash/releases/tag/v3.22.0"
            }
          ],
          "source": {
            "advisory": "GHSA-jjf9-w5vj-r6vp",
            "discovery": "UNKNOWN"
          },
          "title": "Ash Framework: Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34593",
        "datePublished": "2026-04-02T17:42:26.459Z",
        "dateReserved": "2026-03-30T17:15:52.499Z",
        "dateUpdated": "2026-04-03T13:04:09.413Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48044 (GCVE-0-2025-48044)

    Vulnerability from cvelistv5 – Published: 2025-10-17 13:52 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Authorization bypass when bypass policy condition evaluates to true
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 3.6.3 , < 3.7.1 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 , < 8b83efa225f657bfc3656ad8ee8485f9b2de923d (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jechol Lee Jechol Lee Jonatan Männchen / EEF Zach Daniel
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48044",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-20T18:42:50.579615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-15T13:59:25.673Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/policy.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.7.1",
                  "status": "affected",
                  "version": "3.6.3",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/policy.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Policy\u0027:expression/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "8b83efa225f657bfc3656ad8ee8485f9b2de923d",
                  "status": "affected",
                  "version": "79749c2685ea031ebb2de8cf60cc5edced6a8dd0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.7.1",
                      "versionStartIncluding": "3.6.3",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jechol Lee"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jechol Lee"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/policy.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Policy\u0027:expression/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines \u0027Elixir.Ash.Policy.Policy\u0027:expression/2.\n\nThis issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:21.571Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48044.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48044"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Authorization bypass when bypass policy condition evaluates to true",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48044",
        "datePublished": "2025-10-17T13:52:53.644Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:21.571Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48043 (GCVE-0-2025-48043)

    Vulnerability from cvelistv5 – Published: 2025-10-10 15:57 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 0 , < 3.6.2 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 0 , < 66d81300065b970da0d2f4528354835d2418c7ae (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zach Daniel Jonatan Männchen / EEF Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48043",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-10T16:33:21.270063Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-10T16:45:42.403Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/authorizer/authorizer.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/policy/authorizer/authorizer.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "66d81300065b970da0d2f4528354835d2418c7ae",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.6.2",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jonatan M\u00e4nnchen / EEF"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/policy/authorizer/authorizer.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines \u0027Elixir.Ash.Policy.Authorizer\u0027:strict_filters/2.\n\nThis issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:17.241Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-7r7f-9xpj-jmr7"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48043.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48043"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/66d81300065b970da0d2f4528354835d2418c7ae"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48043",
        "datePublished": "2025-10-10T15:57:29.225Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:17.241Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48042 (GCVE-0-2025-48042)

    Vulnerability from cvelistv5 – Published: 2025-09-07 16:01 – Updated: 2026-05-27 15:40
    VLAI
    Title
    Before action hooks may execute in certain scenarios despite a request being forbidden
    Summary
    Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    ash-project ash Affected: 0 , < 3.5.39 (semver)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    ash-project ash Affected: 0 , < 5d1b6a5d00771fd468a509778637527b5218be9a (git)
        cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Zach Daniel Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48042",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:54:54.599381Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:55:11.399Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash",
              "packageURL": "pkg:hex/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/actions/create/bulk.ex",
                "lib/ash/actions/destroy/bulk.ex",
                "lib/ash/actions/update/bulk.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "3.5.39",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "packageName": "ash-project/ash",
              "packageURL": "pkg:github/ash-project/ash",
              "product": "ash",
              "programFiles": [
                "lib/ash/actions/create/bulk.ex",
                "lib/ash/actions/destroy/bulk.ex",
                "lib/ash/actions/update/bulk.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6"
                },
                {
                  "name": "\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6"
                }
              ],
              "repo": "https://github.com/ash-project/ash",
              "vendor": "ash-project",
              "versions": [
                {
                  "lessThan": "5d1b6a5d00771fd468a509778637527b5218be9a",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "3.5.39",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Zach Daniel"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003elib/ash/actions/create/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/destroy/bulk.ex\u003c/tt\u003e, \u003ctt\u003elib/ash/actions/update/bulk.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Ash.Actions.Update.Bulk\u0027:run/6\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines \u0027Elixir.Ash.Actions.Create.Bulk\u0027:run/5, \u0027Elixir.Ash.Actions.Destroy.Bulk\u0027:run/6, \u0027Elixir.Ash.Actions.Update.Bulk:run\u0027/6.\n\nThis issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T15:40:15.857Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2025-48042.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2025-48042"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Before action hooks may execute in certain scenarios despite a request being forbidden",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2025-48042",
        "datePublished": "2025-09-07T16:01:01.470Z",
        "dateReserved": "2025-05-15T08:40:25.455Z",
        "dateUpdated": "2026-05-27T15:40:15.857Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }