Search criteria
4 vulnerabilities found for cerebrate by cerebrate
GCVE-1-2026-0006
Vulnerability from gna-1 – Published: 2026-01-13 15:37 – Updated: 2026-01-13 15:37
VLAI?
Title
Improper Access Control in Cerebrate AuthKey and EncryptionKey Entities Allows Modification of Sensitive Fields
Summary
Multiple mass assignment vulnerabilities exist in the AuthKey and EncryptionKey entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive $_accessible configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cerebrate",
"vendor": "cerebrate",
"versions": [
{
"lessThan": "1.31",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple mass assignment vulnerabilities exist in the \u003ccode\u003eAuthKey\u003c/code\u003e and \u003ccode\u003eEncryptionKey\u003c/code\u003e entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive \u003ccode\u003e$_accessible\u003c/code\u003e configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material.\u003cbr\u003e"
}
],
"value": "Multiple mass assignment vulnerabilities exist in the AuthKey and EncryptionKey entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive $_accessible configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
},
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/cerebrate-project/cerebrate/commit/e19fdecdda099554082b330fb47d68842aa62a55"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in Cerebrate AuthKey and EncryptionKey Entities Allows Modification of Sensitive Fields",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0006"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-01-13T15:37:17.337254Z",
"dateUpdated": "2026-01-13T15:37:17.337254Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0006",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:37:17.337254Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0005
Vulnerability from gna-1 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:38
VLAI?
Title
Improper Access Control in Cerebrate Alignment Model Allows Mass Assignment of Sensitive Fields
Summary
A mass assignment vulnerability exists in the Alignment entity of Cerebrate prior to the fixed version, where insufficient access control on entity fields allowed attackers to set protected attributes. Due to the absence of a restrictive $_accessible configuration, attackers could manipulate sensitive fields such as id and created during entity creation or update operations, potentially leading to data integrity issues and unauthorized record manipulation.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cerebrate",
"vendor": "cerebrate",
"versions": [
{
"lessThan": "1.31",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A mass assignment vulnerability exists in the \u003ccode\u003eAlignment\u003c/code\u003e entity of Cerebrate prior to the fixed version, where insufficient access control on entity fields allowed attackers to set protected attributes. Due to the absence of a restrictive \u003ccode\u003e$_accessible\u003c/code\u003e configuration, attackers could manipulate sensitive fields such as \u003ccode\u003eid\u003c/code\u003e and \u003ccode\u003ecreated\u003c/code\u003e during entity creation or update operations, potentially leading to data integrity issues and unauthorized record manipulation."
}
],
"value": "A mass assignment vulnerability exists in the Alignment entity of Cerebrate prior to the fixed version, where insufficient access control on entity fields allowed attackers to set protected attributes. Due to the absence of a restrictive $_accessible configuration, attackers could manipulate sensitive fields such as id and created during entity creation or update operations, potentially leading to data integrity issues and unauthorized record manipulation."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
},
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/cerebrate-project/cerebrate/commit/02a8d13b63a8b09454289a392891edf3da2adc97"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in Cerebrate Alignment Model Allows Mass Assignment of Sensitive Fields",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0005"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-01-13T15:31:00.000Z",
"dateUpdated": "2026-01-13T15:38:02.888546Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0005",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:31:55.283404Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:38:02.888546Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-0004
Vulnerability from gna-1 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:38
VLAI?
Title
Authorization Bypass in Cerebrate IndividualsController Edit Function
Summary
A privilege escalation vulnerability exists in the IndividualsController::edit() function of Cerebrate prior to the fixed version, where an inverted permission check allowed unauthorized users to modify the uuid field of Individual records. Due to an incorrect conditional statement, non-community-admin users were able to set or alter the UUID of an individual, potentially leading to identity spoofing, data corruption, or unauthorized object takeover.
Severity ?
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cerebrate",
"vendor": "cerebrate",
"versions": [
{
"lessThan": "1.31",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A privilege escalation vulnerability exists in the \u003cem\u003eIndividualsController::edit()\u003c/em\u003e function of Cerebrate prior to the fixed version, where an inverted permission check allowed unauthorized users to modify the \u003ccode\u003euuid\u003c/code\u003e field of Individual records. Due to an incorrect conditional statement, non-community-admin users were able to set or alter the UUID of an individual, potentially leading to identity spoofing, data corruption, or unauthorized object takeover."
}
],
"value": "A privilege escalation vulnerability exists in the IndividualsController::edit() function of Cerebrate prior to the fixed version, where an inverted permission check allowed unauthorized users to modify the uuid field of Individual records. Due to an incorrect conditional statement, non-community-admin users were able to set or alter the UUID of an individual, potentially leading to identity spoofing, data corruption, or unauthorized object takeover."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/cerebrate-project/cerebrate/commit/2d803ae9e2d6c7a678de892de88aca3119d7926f"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass in Cerebrate IndividualsController Edit Function",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0004"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-01-13T15:28:00.000Z",
"dateUpdated": "2026-01-13T15:38:37.744618Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0004",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:28:17.530156Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:38:37.744618Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2025-0017
Vulnerability from gna-1 – Published: 2025-11-12 08:15 – Updated: 2025-11-28 07:22
VLAI?
Title
Privilege escalation in Cerebrate allows an authenticated non-privileged user to escalate their privileges
Summary
Privilege escalation in UsersController::edit in Cerebrate Project (until version v1.29) allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id/organisation_id fields in the edit request.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Credits
ENISA
Sami Mokaddem (aka Graphman)
📸 Alexandre Dulaunoy 🎨
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cerebrate",
"vendor": "cerebrate",
"versions": [
{
"lessThan": "1.30",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ENISA"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sami Mokaddem"
},
{
"lang": "en",
"type": "coordinator",
"value": "Alexandre Dulaunoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in \u003ccode\u003eUsersController::edit\u003c/code\u003e in Cerebrate Project (until version v1.29) allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying \u003ccode\u003erole_id\u003c/code\u003e/\u003ccode\u003eorganisation_id\u003c/code\u003e fields in the edit request."
}
],
"value": "Privilege escalation in UsersController::edit in Cerebrate Project (until version v1.29) allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id/organisation_id fields in the edit request."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html"
}
]
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"url": "https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html"
}
]
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in Cerebrate allows an authenticated non-privileged user to escalate their privileges",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2025-0017"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2025-66385",
"datePublished": "2025-11-12T08:15:00.000Z",
"dateUpdated": "2025-11-28T07:22:08.205835Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2025-0017",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2025-11-12T08:15:46.336994Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-28T07:20:30.439115Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2025-11-28T07:22:08.205835Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}