CVE-2026-35173
Received Received - Intake
IDOR in Chyrp Lite Post Model Enables Post Takeover

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35173
EUVD
EUVD-2026-19420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chyrplite chyrp_lite to 2026.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-914 The product does not properly restrict reading from or writing to dynamically-identified variables.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35173 is a moderate severity vulnerability in the Chyrp Lite blogging platform that combines an Insecure Direct Object Reference (IDOR) issue with a mass assignment flaw in the Post model.

Authenticated users with limited post editing permissions (such as Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) can exploit this vulnerability to modify posts they do not own or have permission to edit.

The root cause is that the Post model's constructor uses mass assignment by loading attributes from the post_attributes payload and directly assigning them to the Post object instance. Attackers can inject internal class properties like the post ID into this payload.

This injection causes the application to overwrite the Post object's ID property, resulting in subsequent update operations being performed on a different user's post rather than the attacker's own, effectively enabling unauthorized post takeover.

Impact Analysis

This vulnerability allows an attacker with limited editing permissions to modify posts they do not own, leading to unauthorized content changes.

It can result in unauthorized modification of other users' posts, potentially damaging the integrity of the content on the blogging platform.

Additionally, attackers might escalate privileges by overwriting ownership attributes such as user_id, effectively hijacking posts owned by other users.

Detection Guidance

This vulnerability can be detected by monitoring and intercepting requests made by authenticated users with post editing permissions to see if the post editing payload contains injected internal class properties such as 'id' that do not belong to the user's own posts.

A practical approach is to capture and inspect HTTP requests to the post editing endpoint, looking for parameters like 'option[id]' that reference post IDs not owned by the authenticated user.

For example, using command-line tools such as curl or intercepting proxies like Burp Suite or OWASP ZAP can help analyze these requests.

  • Use curl to fetch a post edit page and inspect the request payload:
  • curl -v -u username:password -X POST https://your-chyrp-lite-site.com/edit_post -d 'post_attributes[id]=15&other_parameters=...'
  • Use a proxy tool (Burp Suite, OWASP ZAP) to intercept and modify the 'id' parameter in the post_attributes payload during an edit operation to test if unauthorized post modification is possible.
Mitigation Strategies

The immediate mitigation step is to upgrade Chyrp Lite to version 2026.01 or later, where the vulnerability is fixed.

This patch prevents overwriting of already set class properties with values from post attributes, blocking mass assignment of sensitive fields like 'id'.

Until the upgrade can be applied, restrict post editing permissions to trusted users only and monitor for suspicious editing activity.

Additionally, consider implementing network-level controls or web application firewall (WAF) rules to detect and block requests attempting to inject unauthorized 'id' parameters in post editing payloads.

Compliance Impact

This vulnerability allows unauthorized modification of other users' posts by authenticated users with limited editing permissions, leading to integrity violations of data within the Chyrp Lite blogging platform.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized modification of data can potentially lead to non-compliance with regulations that require data integrity and proper access controls.

Specifically, regulations like GDPR mandate protecting personal data from unauthorized alteration, and HIPAA requires safeguarding the integrity of protected health information. This vulnerability could undermine those requirements if such regulated data were stored or managed within the affected system.

Therefore, organizations using affected versions of Chyrp Lite should consider this vulnerability a risk to compliance with data protection and integrity standards until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart