CVE-2026-48592
Deferred Deferred - Pending Action
Missing Authorization in Oban Web Allows Job Worker Substitution

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: EEF

Description
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48592
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oban oban_web From 2.12.0 (inc) to 2.12.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in the oban_web component of oban-bg, specifically in the 'Elixir.Oban.Web.Jobs.DetailComponent' modules.

The problem occurs because the handler for the "save-job" event does not perform an authorization check, unlike other handlers such as cancel, delete, and retry which verify user privileges.

As a result, an authenticated user with only read-only access can send a forged "save-job" event via LiveView WebSocket to change a job's worker field to any other existing worker module in the application.

When the job runs next, it will execute the attacker-chosen worker module instead of the intended one, potentially allowing unauthorized actions.

Impact Analysis

This vulnerability can allow an attacker with limited access (read-only) to substitute the worker module of a job with a different one.

This means the attacker can cause the system to execute arbitrary or unintended code during job processing, potentially leading to unauthorized actions or data manipulation.

Such unauthorized job worker substitution could compromise the integrity and expected behavior of background jobs, possibly leading to security breaches or system misuse.

Compliance Impact

The vulnerability allows an authenticated user with read-only access to perform unauthorized job worker substitution by exploiting a missing authorization check. This could potentially lead to unauthorized actions within the application.

However, there is no specific information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart