CVE-2026-53634
Deferred Deferred - Pending Action

Unauthorized Record Creation in Sharp CMS via Quick Creation Command

Vulnerability report for CVE-2026-53634, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sharpcms sharp to 9.22.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user without proper create permissions to bypass authorization checks and submit new records or retrieve creation forms for entities with a Quick Creation Command handler configured.

Such unauthorized data creation or modification could potentially lead to violations of data protection and privacy regulations like GDPR or HIPAA, which require strict access controls and authorization mechanisms to protect sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

This vulnerability exists in the Sharp content management framework for Laravel, specifically in versions from 9.0.0 up to but not including 9.22.3. The issue is that the create and store endpoints of the Quick Creation Command feature did not enforce any authorization checks. This means that an authenticated Sharp user who does not have create permission on a particular entity could still bypass the authorization layer to either access the creation form or submit new records for that entity, provided a Quick Creation Command handler was configured.

The vulnerability was fixed in version 9.22.3 by adding proper authorization enforcement.

Impact Analysis

This vulnerability can allow an authenticated user without proper create permissions to bypass authorization controls and create new records in entities they should not have access to. This could lead to unauthorized data insertion or manipulation within the system.

Since the vulnerability does not affect confidentiality or availability, but impacts integrity, it could result in unauthorized changes to data, potentially undermining trust in the system's data accuracy.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Sharp to version 9.22.3 or later, where the issue has been patched.

Additionally, review and restrict user permissions to ensure that only authorized users have create permissions on entities, especially those with Quick Creation Command handlers configured.

Detection Guidance

This vulnerability involves missing authorization checks in the create and store endpoints of the Quick Creation Command feature in Sharp versions 9.0.0 to before 9.22.3. Detection would involve verifying whether unauthorized users can access these endpoints or submit new records without proper permissions.

A practical approach to detect this vulnerability is to test the create and store endpoints of the Quick Creation Command feature by attempting to access or submit data as an authenticated user without create permissions on a given entity.

Since the vulnerability is related to API endpoints, you can use HTTP request commands such as curl to test authorization enforcement. For example:

  • Attempt to retrieve the creation form (create endpoint) without create permission: curl -i -H "Authorization: Bearer <token>" https://<sharp-instance>/api/entity/<entityKey>/quick-create
  • Attempt to submit a new record (store endpoint) without create permission: curl -i -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"field1":"value1", "field2":"value2"}' https://<sharp-instance>/api/entity/<entityKey>/quick-create

If these requests succeed without proper authorization errors, the system is vulnerable. If they are forbidden or denied, the authorization checks are likely in place.

Administrators can also review the Sharp version in use and confirm if it is before 9.22.3, which is the patched version.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart