CVE-2026-35173
IDOR in Chyrp Lite Post Model Enables Post Takeover
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chyrplite | chyrp_lite | to 2026.01 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-914 | The product does not properly restrict reading from or writing to dynamically-identified variables. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35173 is a moderate severity vulnerability in the Chyrp Lite blogging platform that combines an Insecure Direct Object Reference (IDOR) issue with a mass assignment flaw in the Post model.
Authenticated users with limited post editing permissions (such as Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) can exploit this vulnerability to modify posts they do not own or have permission to edit.
The root cause is that the Post model's constructor uses mass assignment by loading attributes from the post_attributes payload and directly assigning them to the Post object instance. Attackers can inject internal class properties like the post ID into this payload.
This injection causes the application to overwrite the Post object's ID property, resulting in subsequent update operations being performed on a different user's post rather than the attacker's own, effectively enabling unauthorized post takeover.
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited editing permissions to modify posts they do not own, leading to unauthorized content changes.
It can result in unauthorized modification of other users' posts, potentially damaging the integrity of the content on the blogging platform.
Additionally, attackers might escalate privileges by overwriting ownership attributes such as user_id, effectively hijacking posts owned by other users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and intercepting requests made by authenticated users with post editing permissions to see if the post editing payload contains injected internal class properties such as 'id' that do not belong to the user's own posts.
A practical approach is to capture and inspect HTTP requests to the post editing endpoint, looking for parameters like 'option[id]' that reference post IDs not owned by the authenticated user.
For example, using command-line tools such as curl or intercepting proxies like Burp Suite or OWASP ZAP can help analyze these requests.
- Use curl to fetch a post edit page and inspect the request payload:
- curl -v -u username:password -X POST https://your-chyrp-lite-site.com/edit_post -d 'post_attributes[id]=15&other_parameters=...'
- Use a proxy tool (Burp Suite, OWASP ZAP) to intercept and modify the 'id' parameter in the post_attributes payload during an edit operation to test if unauthorized post modification is possible.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chyrp Lite to version 2026.01 or later, where the vulnerability is fixed.
This patch prevents overwriting of already set class properties with values from post attributes, blocking mass assignment of sensitive fields like 'id'.
Until the upgrade can be applied, restrict post editing permissions to trusted users only and monitor for suspicious editing activity.
Additionally, consider implementing network-level controls or web application firewall (WAF) rules to detect and block requests attempting to inject unauthorized 'id' parameters in post editing payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized modification of other users' posts by authenticated users with limited editing permissions, leading to integrity violations of data within the Chyrp Lite blogging platform.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized modification of data can potentially lead to non-compliance with regulations that require data integrity and proper access controls.
Specifically, regulations like GDPR mandate protecting personal data from unauthorized alteration, and HIPAA requires safeguarding the integrity of protected health information. This vulnerability could undermine those requirements if such regulated data were stored or managed within the affected system.
Therefore, organizations using affected versions of Chyrp Lite should consider this vulnerability a risk to compliance with data protection and integrity standards until patched.