CVE-2026-55736
Deferred Deferred - Pending Action

Improper Object Attribute Control in Ash Framework

Vulnerability report for CVE-2026-55736, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-07-09

Assigner: EEF

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-07-09
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ash-project ash From 3.0.0 (inc) to 3.29.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized modification of private action arguments that can control authorization, identity, or record ownership, potentially leading to integrity violations or privilege escalation.

Such unauthorized access and manipulation of sensitive data or control parameters could negatively impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data integrity, access, and authorization.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

This vulnerability exists in the Ash framework versions 3.0.0 to before 3.29.3 and involves improper control over private action arguments. These private arguments, which are intended to be set only by trusted server-side code, can be manipulated by user input due to incomplete filtering.

Specifically, when a changeset is built from user-supplied parameters, Ash filters out private arguments only if the parameter key is an atom. However, if the key is a binary (string), which is common in user input, the private argument is not filtered out and can be set by the user. In atomic or bulk update paths, private arguments are never stripped regardless of key type.

As a result, an attacker can inject values for private arguments that should be controlled internally, potentially leading to unauthorized modifications.

Impact Analysis

Exploiting this vulnerability allows an attacker to inject values into private action arguments that are meant to be controlled only by trusted server-side code.

Depending on how these private arguments are used in the applicationβ€”for example, if they control authorization, identity, or record ownershipβ€”this can lead to integrity violations or privilege escalation.

  • Integrity violation: unauthorized modification of data or state.
  • Privilege escalation: gaining higher access rights than intended.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Ash framework to version 3.29.3 or later, where the issue has been fixed.

The fix ensures that private action arguments declared with public?: false cannot be set from user input, whether the parameters are string-keyed or atom-keyed.

Additionally, review your application code to ensure that private arguments are not exposed or modifiable from untrusted sources, especially in changeset creation and atomic or bulk update paths.

Detection Guidance

This vulnerability involves improper filtering of private action arguments in the Ash framework, allowing user input to set values that should be controlled only by server-side code.

To detect exploitation attempts on your system, you should monitor requests that submit parameters to Ash actions, especially those that include keys corresponding to private arguments (declared with public?: false). Look for parameters sent as strings that match private argument names.

Since the vulnerability is related to user-supplied parameters bypassing filtering, you can use logging or network monitoring tools to capture and inspect HTTP request payloads for suspicious parameters.

  • Use network packet capture tools like tcpdump or Wireshark to capture traffic to your Ash-based application and filter for POST or PUT requests containing JSON or form data with keys matching private argument names.
  • On the server, enable detailed request logging to capture parameter maps submitted to Ash actions.
  • Use grep or similar tools on logs to search for occurrences of private argument names in user-supplied parameters, for example: grep -i 'private_argument_name' /path/to/request_logs.log
  • If you have access to the application code or database, audit changesets or records for unexpected values in fields controlled by private arguments, which may indicate exploitation.

There are no specific commands provided in the resources for automated detection, so detection relies on monitoring and analyzing input parameters and logs for suspicious private argument usage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart