GHSA-389X-RGXR-8M33
Vulnerability from github – Published: 2026-06-30 18:33 – Updated: 2026-06-30 18:33Summary
oban_web 2.12.0 through the current unpatched release exposes a save-job LiveView event handler that performs no authorization check, allowing any authenticated user (including those with :read_only access) to overwrite a queued job's worker field with any other Oban.Worker module present in the application. On the job's next execution attempt, Oban dispatches perform/1 on the attacker-chosen module instead of the intended one.
Details
In lib/oban/web/live/jobs/detail_component.ex, the sibling event handlers for destructive actions all gate their side effects via can?/2 (cancel, delete, retry). The handle_event("save-job", params, socket) clause added in 2.12.0 has no equivalent guard. It builds a changes map from the client-supplied params (including worker, queue, priority, max_attempts, scheduled_at, tags, args) and unconditionally dispatches {:update_job, job, changes} to the parent LiveView, which writes the changes to the database.
The disabled attribute on the edit fieldset and button in the rendered HTML is advisory only. The Phoenix LiveView channel dispatches any phx-event pushed over the authenticated WebSocket regardless of what the DOM looks like, so the attacker pushes the event directly over the WebSocket without touching the UI.
The attacker is constrained to substituting an existing Oban.Worker module already loaded in the application (no code injection). The impact depends on what workers are available in the target application.
PoC
- Obtain an authenticated session with at minimum
:read_onlyaccess to the Oban.Web dashboard. - Open any job's detail panel to obtain its job ID.
- Push a forged
save-jobevent over the LiveView WebSocket with"worker"set to the desired target module name. - The server accepts the payload and updates the job row. On its next execution attempt, Oban invokes
perform/1on the attacker-chosen module.
Impact
CVSS 4.0 score 5.3 (Medium). Any application running oban_web >= 2.12.0 that exposes the dashboard to users with less than full job-management privileges is affected. The only precondition is an authenticated session with :read_only access or higher.
References
- Introduction commit: https://github.com/oban-bg/oban_web/commit/a17bc8c31286c9d516e2892cf5483d1c95e65d6c
- Patch commit: https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "oban_web"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0"
},
{
"fixed": "2.12.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48592"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:33:20Z",
"nvd_published_at": "2026-05-26T21:16:41Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`oban_web` 2.12.0 through the current unpatched release exposes a `save-job` LiveView event handler that performs no authorization check, allowing any authenticated user (including those with `:read_only` access) to overwrite a queued job\u0027s `worker` field with any other `Oban.Worker` module present in the application. On the job\u0027s next execution attempt, Oban dispatches `perform/1` on the attacker-chosen module instead of the intended one.\n\n### Details\n\nIn `lib/oban/web/live/jobs/detail_component.ex`, the sibling event handlers for destructive actions all gate their side effects via `can?/2` (cancel, delete, retry). The `handle_event(\"save-job\", params, socket)` clause added in 2.12.0 has no equivalent guard. It builds a `changes` map from the client-supplied params (including `worker`, `queue`, `priority`, `max_attempts`, `scheduled_at`, `tags`, `args`) and unconditionally dispatches `{:update_job, job, changes}` to the parent LiveView, which writes the changes to the database.\n\nThe `disabled` attribute on the edit fieldset and button in the rendered HTML is advisory only. The Phoenix LiveView channel dispatches any `phx-event` pushed over the authenticated WebSocket regardless of what the DOM looks like, so the attacker pushes the event directly over the WebSocket without touching the UI.\n\nThe attacker is constrained to substituting an existing `Oban.Worker` module already loaded in the application (no code injection). The impact depends on what workers are available in the target application.\n\n### PoC\n\n1. Obtain an authenticated session with at minimum `:read_only` access to the Oban.Web dashboard.\n2. Open any job\u0027s detail panel to obtain its job ID.\n3. Push a forged `save-job` event over the LiveView WebSocket with `\"worker\"` set to the desired target module name.\n4. The server accepts the payload and updates the job row. On its next execution attempt, Oban invokes `perform/1` on the attacker-chosen module.\n\n### Impact\n\nCVSS 4.0 score 5.3 (Medium). Any application running `oban_web` \u003e= 2.12.0 that exposes the dashboard to users with less than full job-management privileges is affected. The only precondition is an authenticated session with `:read_only` access or higher.\n\n## References\n\n* Introduction commit: https://github.com/oban-bg/oban_web/commit/a17bc8c31286c9d516e2892cf5483d1c95e65d6c\n* Patch commit: https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248",
"id": "GHSA-389x-rgxr-8m33",
"modified": "2026-06-30T18:33:20Z",
"published": "2026-06-30T18:33:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48592"
},
{
"type": "WEB",
"url": "https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48592.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/oban-bg/oban_web"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48592"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "oban_web missing authorization check on `save-job` event handler"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.