CVE-2026-48067
Received Received - Intake
Livewire State Tampering in Filament Actions and Tables

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48067
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
laravel filament From 4.0.0 (inc) to 4.11.4 (inc)
laravel filament 5.6.4
laravel filament From 3.0.0 (inc) to 3.3.51 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Filament, a set of components for Laravel development, specifically in versions of filament/actions from 4.0.0 until 4.11.4 and 5.6.4, and filament/tables from 3.0.0 until 3.3.51.

The issue is that the method recordSelectOptionsQuery() is used to limit the options available in Select fields for AttachAction and AssociateAction, but the validation rules for these fields did not enforce the same limitations.

As a result, a user who can trigger these actions could manipulate the Livewire component's state and submit values that are outside the intended scope, potentially bypassing restrictions.

This vulnerability was fixed in filament/actions versions 4.11.4 and 5.6.4, and filament/tables version 3.3.51.

Impact Analysis

This vulnerability allows an attacker with permission to trigger AttachAction or AssociateAction to submit out-of-scope values by tampering with the Livewire component's state.

The impact is an integrity violation, where unauthorized or unintended data associations could be made, potentially leading to incorrect application behavior or data corruption.

The CVSS score of 6.5 indicates a medium severity with a high impact on integrity but no impact on confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, you should update the affected filament packages to the fixed versions.

  • Update filament/actions to version 4.11.4 or 5.6.4 or later.
  • Update filament/tables to version 3.3.51 or later.

These updates fix the issue where the validation rule did not apply the same scope as the recordSelectOptionsQuery() method, preventing users from submitting out-of-scope values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart