CVE-2026-48089
Deferred Deferred - Pending Action

Authentication Bypass in DevGuard Prior to 1.4.2

Vulnerability report for CVE-2026-48089, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user β€” including users from a different organization with no membership or role in the affected org/project β€” can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
devguard devguard to 1.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48089 is a vulnerability in DevGuard versions prior to 1.4.2 that affects the authorization controls on public assets. Any authenticated user, even those from different organizations without membership or roles in the affected organization or project, can perform unauthorized write operations on public assets. These operations include creating, updating, reapplying, and deleting VEX rules, managing dependency-vulnerability events, creating license risks, writing external references, creating artifacts, and refreshing licenses.

The flaw exists because of a public-read exemption in the access-control middleware, which fails to enforce proper authorization on write endpoints for public assets. The attacker only needs a valid account on the DevGuard instance but does not require any specific permissions related to the targeted asset.

A patch fixing this issue was released in version 1.4.2, and as a workaround, affected assets can be made private to restore correct authorization enforcement.

Compliance Impact

This vulnerability allows unauthorized authenticated users from different organizations to manipulate vulnerability management data on public assets, including creating, updating, and deleting VEX rules and other related data.

Such unauthorized modifications can undermine the integrity and trustworthiness of vulnerability and software bill of materials (SBOM) data, which may impact compliance with standards and regulations that require accurate and reliable security data management, such as GDPR and HIPAA.

Specifically, the ability to alter vulnerability triage information could lead to inaccurate risk assessments and reporting, potentially resulting in non-compliance with regulatory requirements for data protection and security controls.

However, the vulnerability only affects public assets and can be mitigated by making assets private or applying the patch in version v1.4.2.

Impact Analysis

This vulnerability can significantly impact the integrity and availability of vulnerability data on public assets managed by DevGuard.

  • Attackers can manipulate vulnerability data by creating, updating, or deleting VEX rules, potentially marking legitimate vulnerabilities as false positives or silencing them.
  • Unauthorized users can interfere with dependency-vulnerability event management, license risk creation, and artifact creation, undermining the trustworthiness of the vulnerability management system.
  • Downstream consumers relying on VEX/SBOM outputs may receive manipulated or inaccurate data, which can affect security decisions and risk assessments.

The vulnerability has a high severity CVSS score of 7.1, with low attack complexity and no user interaction required, making exploitation relatively easy for authenticated users.

Mitigation Strategies

To mitigate this vulnerability immediately, you should make all affected assets non-public by changing their visibility settings from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for those assets.

Additionally, you should upgrade your DevGuard instance to version v1.4.2 or later, which contains a patch that fixes this authorization flaw.

Note that downstream consumers relying on public endpoints like vex.json or sbom.json will need explicit access or must receive exported file versions until the patched release is deployed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart