CVE-2026-42202
Boolean Attribute Manipulation in Nova Toggle
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in nova-toggle-5 prior to version 1.3.0, where the toggle endpoint allowed any authenticated user on the configured guard to flip boolean attributes on any Nova resource. This included users who normally would not have access to Nova, such as frontend customers sharing the same web guard as the Nova admin area.
Additionally, the endpoint accepted an arbitrary attribute parameter, enabling a valid caller to toggle any boolean column on the underlying model, not just those exposed as Toggle fields on the resource. This could lead to unauthorized changes to data.
The issue was fixed in version 1.3.0.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users who are authenticated on the same guard to change boolean attributes on any Nova resource, potentially altering data they should not have access to.
Since the endpoint accepts arbitrary attribute parameters, attackers could toggle boolean columns that control important features or states, leading to unauthorized modifications and potential misuse of the system.
The CVSS score of 6.5 indicates a medium severity impact, with high impact on integrity but no impact on confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in nova-toggle version 1.3.0. To mitigate this vulnerability, you should upgrade nova-toggle to version 1.3.0 or later.