CVE-2026-54164
Received Received - Intake

Type Confusion in API Platform Core Serializer

Vulnerability report for CVE-2026-54164, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
api-platform core to 4.3.12 (exc)
api_platform core to 4.3.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in API Platform Core's serializer AbstractItemNormalizer occurs because it does not validate the resource type when resolving relation IRIs. This allows an attacker who can submit write requests to supply a relation IRI pointing to a resource of a different type than expected. For untyped relation properties, this wrong-typed object is silently assigned, corrupting data integrity. For typed properties, the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. The root cause is that getResourceFromIri() does not pass an operation parameter to IriConverter::getResourceFromIri(), bypassing a type guard check.

This issue affects API Platform/core versions prior to 4.1.30, 4.2.26, and 4.3.12 and has been fixed by adding a type guard that throws an exception for mismatched IRIs, preventing silent assignment.

Impact Analysis

This vulnerability can impact you by allowing data integrity corruption. An attacker able to submit write requests to an API Platform endpoint with writable relations can cause relation properties to be assigned resources of unintended types. This type confusion can corrupt invariants and potentially cause downstream logic to behave incorrectly, as it assumes the declared type of the relation property.

While typed properties are protected by Symfony's PropertyAccessor, untyped properties are vulnerable to silent incorrect assignments, which can lead to unexpected behavior or security issues in the application.

Detection Guidance

This vulnerability involves the API Platform serializer's AbstractItemNormalizer failing to validate resource types when resolving relation IRIs, which can lead to type confusion and data integrity issues.

Detection would involve monitoring or inspecting write requests (POST/PUT/PATCH) to API Platform endpoints that have writable relations, looking for relation IRIs that point to resources of an unintended type.

Since the issue is related to silent assignment of wrong-typed objects or exceptions thrown by Symfony's PropertyAccessor, you can check application logs for InvalidTypeException errors or unexpected data inconsistencies in relation properties.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

The recommended immediate mitigation is to upgrade API Platform Core to a patched version: 4.1.30, 4.2.26, or 4.3.12 or later, where the vulnerability has been fixed.

The fix adds a type guard in AbstractItemNormalizer::getResourceFromIri() that throws an InvalidArgumentException for mismatched IRIs, causing a 400 Bad Request response instead of silent assignment.

As a workaround, you can declare PHP types on writable relation properties to leverage Symfony's PropertyAccessor type checking, which blocks wrong-typed substitutions.

However, upgrading to a patched version is strongly recommended for complete protection.

Compliance Impact

This vulnerability allows type confusion in API Platform Core's serializer, leading to the silent assignment of incorrect resource types to relation properties. This corrupts data integrity by feeding downstream logic with unintended data types.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the impact on data integrity could potentially affect compliance with regulations that require accurate and reliable data processing and protection.

Organizations relying on API Platform Core for handling sensitive or regulated data should consider that this vulnerability might undermine data correctness and integrity, which are critical for meeting regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart