CVE-2026-42205
Privilege Escalation in Avo Framework via Broken Access Control
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| avohq | avo | to 3.31.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Avo framework, which is used to create admin panels for Ruby on Rails applications. Before version 3.31.2, there was a broken access control issue in the ActionsController. Because of insecure action lookup logic, an authenticated user could execute any Action class on any resource, even if that action was not registered for that resource.
This means users could perform actions they were not authorized to, leading to privilege escalation and unauthorized manipulation of data across the entire application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to execute unauthorized actions on any resource within the application, leading to privilege escalation and unauthorized data manipulation.
Such unauthorized access and manipulation of data can result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.
Therefore, if exploited, this vulnerability could compromise compliance with these common standards by enabling unauthorized data access and modification.
How can this vulnerability impact me? :
The vulnerability can have severe impacts including privilege escalation, where an authenticated user gains higher-level permissions than intended.
It allows unauthorized data manipulation across the entire application, potentially compromising the integrity, confidentiality, and availability of data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Avo framework to version 3.31.2 or later, where the broken access control issue in the ActionsController has been patched.