CVE-2026-53901
Received Received - Intake
Mass Assignment Vulnerability in Cerebrate

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-53901
EUVD
EUVD-2026-36216
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cerebrate cerebrate to 1.37 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Cerebrate before version 1.37 contains a mass-assignment vulnerability in its generic CRUD add path. The add() handler tried to remove an attacker-supplied 'id' from the parameters before normalizing the input, but the normalized input could still contain an 'id' field. This means an attacker able to access the add endpoint could supply their own identifier, which should normally be controlled by the server.

This vulnerability allows attackers to create objects with attacker-chosen identifiers, potentially leading to unauthorized data manipulation, object spoofing, inconsistent references, or disruption caused by identifier collisions.

Impact Analysis

Successful exploitation of this vulnerability can allow attackers to create objects with identifiers they choose, which can lead to several impacts:

  • Unauthorized data manipulation
  • Object spoofing
  • Inconsistent references within the system
  • Disruption caused by identifier collisions

The exact impact depends on the affected model and the permissions of the endpoint.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Cerebrate to version 1.37 or later, where the issue has been fixed.

The fix involves properly removing the 'id' field from the normalized input in the add() handler to prevent mass-assignment attacks that allow attackers to supply unauthorized identifiers.

Applying the patch from the commit that moves the unset operation for the 'id' field to after input normalization in the CRUDComponent.php file is the recommended immediate step.

Compliance Impact

The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an attacker supplying an 'id' field in requests to the add() handler of the Cerebrate application before version 1.37. Detection can focus on monitoring incoming requests to the affected add endpoints for the presence of an 'id' parameter in the payload, which should normally be controlled by the server.

To detect potential exploitation attempts, you can inspect HTTP request logs or capture network traffic to identify requests containing an 'id' field in the add operation payload.

Example commands to detect such requests might include:

  • Using grep on web server logs to find requests with 'id' in the payload: grep -i 'id=' /var/log/apache2/access.log
  • Using tcpdump to capture HTTP POST requests and filter for 'id' in the payload: tcpdump -A -s 0 'tcp port 80' | grep 'id='
  • Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests to add endpoints containing an 'id' parameter.

Additionally, reviewing application logs for unexpected creation of objects with attacker-chosen identifiers may help identify exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart