CVE-2026-1774
Awaiting Analysis Awaiting Analysis - Queue
Prototype Pollution in CASL Ability 2.4.0–6.7.4 Vulnerability

Publication date: 2026-02-10

Last updated on: 2026-02-11

Assigner: CERT/CC

Description
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1774
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stalniy casl_ability From 2.4.0 (inc) to 6.7.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-1774 is a prototype pollution vulnerability found in CASL Ability versions 2.4.0 through 6.7.4. Prototype pollution occurs when an attacker is able to modify or inject properties into an object's prototype, such as Object.prototype in JavaScript. This allows the attacker to add or change attributes that affect all objects inheriting from that prototype, potentially altering application behavior globally."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the software does not properly control or validate modifications to special prototype attributes like __proto__, constructor, or prototype. Attackers can exploit this by supplying crafted input that modifies these prototype attributes, leading to unexpected and malicious changes in the application.'}] [2, 3]

Impact Analysis

This vulnerability can have serious impacts including unauthorized data access, data modification, and denial of service. By polluting the prototype, an attacker can cause the application to behave incorrectly, such as bypassing security checks, escalating privileges, or injecting malicious code.

  • Confidentiality impact: Attackers may read or modify sensitive application data.
  • Integrity impact: Malicious attributes can alter application logic or security controls.
  • Availability impact: Overriding prototype attributes with incompatible types can cause crashes or restarts, leading to denial of service.

Examples of exploitation include bypassing access controls by setting global flags like isAdmin to true, or injecting malicious scripts via polluted properties.

Compliance Impact

I don't know

Detection Guidance

Detection of this prototype pollution vulnerability can be performed using automated static analysis (SAST) tools that analyze data flow from input sources to sinks where object attributes are set.

Since the vulnerability involves JavaScript prototype pollution, detection involves checking for unsafe assignments to prototype attributes such as __proto__, constructor, or prototype.

There are no specific network commands provided, but detection typically involves code analysis tools or runtime monitoring for suspicious prototype modifications.

Mitigation Strategies

Immediate mitigation steps include:

  • Validate and sanitize all user inputs to block modifications to prototype attributes such as __proto__, constructor, and prototype.
  • Freeze the Object prototype using Object.freeze(Object.prototype) to prevent any modifications.
  • Use objects without prototypes by creating them with Object.create(null) to avoid prototype inheritance.
  • Prefer using Map or Set data structures instead of plain objects for key-value storage.
  • Use runtime defenses such as the Node.js flag --disable-proto=delete|throw to disable or throw errors on __proto__ access.
  • Avoid using vulnerable patterns like recursive merging or cloning of objects based on user input without validation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart