CVE-2026-49858
Received
Received - Intake
Cross-User Attribute Leak in API Platform Core
Vulnerability report for CVE-2026-49858, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-01
Last updated on: 2026-07-01
Assigner: GitHub, Inc.
Description
Description
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| api-platform | core | From 2.6.0 (inc) to 4.1.29 (exc) |
| api-platform | core | 4.1.29 |
| api-platform | core | 4.2.26 |
| api-platform | core | 4.3.12 |
| api-platform | json-api | From 2.6.0 (inc) to 4.1.29 (exc) |
| api-platform | json-api | 4.1.29 |
| api-platform | json-api | 4.2.26 |
| api-platform | json-api | 4.3.12 |
| api-platform | hal | From 2.6.0 (inc) to 4.1.29 (exc) |
| api-platform | hal | 4.1.29 |
| api-platform | hal | 4.2.26 |
| api-platform | hal | 4.3.12 |
| api_platform | core | From 2.6.0 (inc) to 4.1.29 (exc) |
| api_platform | core | 4.1.29 |
| api_platform | core | 4.2.26 |
| api_platform | core | 4.3.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-524 | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. |