CVE-2026-53634
Received Received - Intake
Unauthorized Record Creation in Sharp CMS via Quick Creation Command

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-53634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sharpcms sharp to 9.22.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user without proper create permissions to bypass authorization checks and submit new records or retrieve creation forms for entities with a Quick Creation Command handler configured.

Such unauthorized data creation or modification could potentially lead to violations of data protection and privacy regulations like GDPR or HIPAA, which require strict access controls and authorization mechanisms to protect sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

This vulnerability exists in the Sharp content management framework for Laravel, specifically in versions from 9.0.0 up to but not including 9.22.3. The issue is that the create and store endpoints of the Quick Creation Command feature did not enforce any authorization checks. This means that an authenticated Sharp user who does not have create permission on a particular entity could still bypass the authorization layer to either access the creation form or submit new records for that entity, provided a Quick Creation Command handler was configured.

The vulnerability was fixed in version 9.22.3 by adding proper authorization enforcement.

Impact Analysis

This vulnerability can allow an authenticated user without proper create permissions to bypass authorization controls and create new records in entities they should not have access to. This could lead to unauthorized data insertion or manipulation within the system.

Since the vulnerability does not affect confidentiality or availability, but impacts integrity, it could result in unauthorized changes to data, potentially undermining trust in the system's data accuracy.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Sharp to version 9.22.3 or later, where the issue has been patched.

Additionally, review and restrict user permissions to ensure that only authorized users have create permissions on entities, especially those with Quick Creation Command handlers configured.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart