CVE-2026-48067
Deferred Deferred - Pending Action

Livewire State Tampering in Filament Actions and Tables

Vulnerability report for CVE-2026-48067, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
laravel filament From 4.0.0 (inc) to 4.11.4 (inc)
laravel filament 5.6.4
laravel filament From 3.0.0 (inc) to 3.3.51 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Filament, a set of components for Laravel development, specifically in versions of filament/actions from 4.0.0 until 4.11.4 and 5.6.4, and filament/tables from 3.0.0 until 3.3.51.

The issue is that the method recordSelectOptionsQuery() is used to limit the options available in Select fields for AttachAction and AssociateAction, but the validation rules for these fields did not enforce the same limitations.

As a result, a user who can trigger these actions could manipulate the Livewire component's state and submit values that are outside the intended scope, potentially bypassing restrictions.

This vulnerability was fixed in filament/actions versions 4.11.4 and 5.6.4, and filament/tables version 3.3.51.

Impact Analysis

This vulnerability allows an attacker with permission to trigger AttachAction or AssociateAction to submit out-of-scope values by tampering with the Livewire component's state.

The impact is an integrity violation, where unauthorized or unintended data associations could be made, potentially leading to incorrect application behavior or data corruption.

The CVSS score of 6.5 indicates a medium severity with a high impact on integrity but no impact on confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, you should update the affected filament packages to the fixed versions.

  • Update filament/actions to version 4.11.4 or 5.6.4 or later.
  • Update filament/tables to version 3.3.51 or later.

These updates fix the issue where the validation rule did not apply the same scope as the recordSelectOptionsQuery() method, preventing users from submitting out-of-scope values.

Compliance Impact

This vulnerability allows an attacker to submit out-of-scope values by bypassing authorization checks, which can impact data integrity.

Such an integrity issue could potentially lead to unauthorized data manipulation, which may affect compliance with standards and regulations like GDPR and HIPAA that require strict controls over data access and integrity.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart