CVE-2026-48592
Missing Authorization in Oban Web Allows Job Worker Substitution
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oban | oban_web | From 2.12.0 (inc) to 2.12.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization issue in the oban_web component of oban-bg, specifically in the 'Elixir.Oban.Web.Jobs.DetailComponent' modules.
The problem occurs because the handler for the "save-job" event does not perform an authorization check, unlike other handlers such as cancel, delete, and retry which verify user privileges.
As a result, an authenticated user with only read-only access can send a forged "save-job" event via LiveView WebSocket to change a job's worker field to any other existing worker module in the application.
When the job runs next, it will execute the attacker-chosen worker module instead of the intended one, potentially allowing unauthorized actions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited access (read-only) to substitute the worker module of a job with a different one.
This means the attacker can cause the system to execute arbitrary or unintended code during job processing, potentially leading to unauthorized actions or data manipulation.
Such unauthorized job worker substitution could compromise the integrity and expected behavior of background jobs, possibly leading to security breaches or system misuse.