CVE-2026-42205
Received Received - Intake
Privilege Escalation in Avo Framework via Broken Access Control

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avohq avo to 3.31.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user to execute unauthorized actions on any resource within the application, leading to privilege escalation and unauthorized data manipulation.

Such unauthorized access and manipulation of data can result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these common standards by enabling unauthorized data access and modification.

Executive Summary

This vulnerability exists in the Avo framework, which is used to create admin panels for Ruby on Rails applications. Before version 3.31.2, there was a broken access control issue in the ActionsController. Because of insecure action lookup logic, an authenticated user could execute any Action class on any resource, even if that action was not registered for that resource.

This means users could perform actions they were not authorized to, leading to privilege escalation and unauthorized manipulation of data across the entire application.

Impact Analysis

The vulnerability can have severe impacts including privilege escalation, where an authenticated user gains higher-level permissions than intended.

It allows unauthorized data manipulation across the entire application, potentially compromising the integrity, confidentiality, and availability of data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Avo framework to version 3.31.2 or later, where the broken access control issue in the ActionsController has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart