CVE-2026-49858
Received Received - Intake

Cross-User Attribute Leak in API Platform Core

Vulnerability report for CVE-2026-49858, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
api-platform core From 2.6.0 (inc) to 4.1.29 (exc)
api-platform core 4.1.29
api-platform core 4.2.26
api-platform core 4.3.12
api-platform json-api From 2.6.0 (inc) to 4.1.29 (exc)
api-platform json-api 4.1.29
api-platform json-api 4.2.26
api-platform json-api 4.3.12
api-platform hal From 2.6.0 (inc) to 4.1.29 (exc)
api-platform hal 4.1.29
api-platform hal 4.2.26
api-platform hal 4.3.12
api_platform core From 2.6.0 (inc) to 4.1.29 (exc)
api_platform core 4.1.29
api_platform core 4.2.26
api_platform core 4.3.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability causes a cross-user attribute leak, where sensitive attributes intended to be hidden from users with lower privileges may be exposed due to improper caching in the API Platform Core's JSON:API and HAL item normalizers.

Such unauthorized exposure of sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Because the flaw allows confidential information to be leaked across users, organizations using affected versions may face compliance risks related to confidentiality and data privacy requirements.

Executive Summary

This vulnerability exists in the JSON:API and HAL item normalizers of the api-platform/core library. It is caused by a missing security gate called isCacheKeySafe, which leads to improper caching of user-specific data. Specifically, the cache key used to store normalized data is set before evaluating security predicates that determine if a property should be exposed to a user. As a result, cached data from one user's request, where certain properties were accessible, can be reused for another user's request who should not have access to those properties. This causes a cross-user attribute leak, exposing sensitive information to users with lower privileges.

The issue mainly affects long-running PHP runtimes like FrankenPHP, RoadRunner, or Swoole, where the cache persists across requests. Classic PHP-FPM setups are less vulnerable because the cache does not survive between requests. The vulnerability has been fixed in versions 4.1.29, 4.2.26, and 4.3.12 of the affected packages.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive attributes to users who should not have access to them. A user with lower privileges may see data or properties that are intended to be hidden based on security rules. This cross-user attribute leak compromises confidentiality and can expose sensitive information, potentially leading to privacy violations or data breaches.

Detection Guidance

This vulnerability arises from a cache reuse issue in the JSON:API and HAL item normalizers of api-platform/core, where cached data from one user's request may be exposed to another user with lower privileges.

Detection involves verifying if your system is running affected versions of api-platform/core (versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12) and if it uses long-running PHP runtimes such as FrankenPHP, RoadRunner, or Swoole where cache persists across requests.

Since the vulnerability is related to cache key reuse and security predicate evaluation, you can check for unusual attribute leaks between users with different privilege levels by inspecting API responses.

There are no explicit commands provided in the resources to detect this vulnerability automatically.

Mitigation Strategies

Immediate mitigation steps include upgrading the api-platform/core package to a fixed version: 4.1.29, 4.2.26, or 4.3.12 or later.

If upgrading is not immediately possible, workarounds include overriding the normalizer services to implement a security check on the cache key to prevent cache reuse across users.

Another temporary mitigation is to avoid using the #[ApiProperty(security: ...)] attribute on resources served in JSON:API or HAL formats until the patch is applied.

Also, consider the runtime environment: classic PHP-FPM setups are less vulnerable since the cache does not persist between requests, so switching to such an environment may reduce risk temporarily.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart