CVE-2026-53911
Deferred Deferred - Pending Action
Mass Assignment in Cerebrate Before 1.37

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity. The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-53911
EUVD
EUVD-2026-36218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cerebrate_project cerebrate 1.37
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Cerebrate before version 1.37 involves a mass-assignment issue where the primary key field 'id' could be supplied through request input during edit operations and certain custom entity patching flows.

An authenticated attacker could craft an edit request containing the 'id' of another record, causing the system to update that unrelated record instead of the intended one identified by the route parameter.

This affected several entity types that inherited permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection.

Since UserSettings edit functionality was accessible by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type.

Impact Analysis

The vulnerability allows an authenticated attacker to modify records they should not have access to by submitting crafted requests that change the 'id' field.

This can lead to unauthorized updates of unrelated records, potentially compromising data integrity and security within the affected entities.

The impact depends on the specific endpoint and writable fields, but it could allow unauthorized users to alter sensitive information or configurations.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized edit requests where the 'id' field is supplied in the request input to update records other than the intended target. Since the vulnerability allows an authenticated user to submit crafted requests that manipulate the 'id' field during CRUD edit operations, inspecting logs for such requests is key.

You can look for HTTP requests to the application's edit endpoints that include an 'id' parameter in the request body or payload, especially if the 'id' differs from the route parameter or expected record identifier.

Example commands to detect such activity might include searching web server or application logs for suspicious payloads. For instance, using grep on logs:

  • grep -i 'id=' /var/log/apache2/access.log
  • grep -i 'id' /path/to/application/logs/*.log | grep 'edit'

Additionally, monitoring for unexpected changes in records where the authenticated user should not have permission to modify those specific records can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Cerebrate to version 1.37 or later, where the vulnerability is fixed by stripping the 'id' field from request input after marshalling callbacks and globally marking 'id' as inaccessible in the base AppModel entity.

If upgrading immediately is not possible, as a temporary measure, review and modify the application's code to ensure that the 'id' field cannot be mass-assigned or manipulated through request inputs during CRUD edit or patch operations.

Specifically, ensure that in the CRUDComponent's edit() and add() methods, the 'id' field is removed from user input after the beforeMarshal process, and that the AppModel class has accessibility settings that prevent mass-assignment of the 'id' field.

Also, audit custom patchEntity flows in controllers to strip out the 'id' field before processing.

Finally, restrict authenticated user permissions to only those necessary and monitor for suspicious edit requests as a defense-in-depth measure.

Compliance Impact

This vulnerability allows authenticated users to modify records they should not have access to by manipulating the primary key field during CRUD operations. Such unauthorized modification of data can lead to violations of data integrity and access control requirements.

In the context of compliance with standards like GDPR and HIPAA, this vulnerability could result in unauthorized access or alteration of personal or sensitive data, potentially breaching confidentiality and data protection obligations mandated by these regulations.

Therefore, exploitation of this issue may lead to non-compliance with regulatory requirements related to data security, access controls, and auditability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart