Exploitable Boolean Manipulation in nova-toggle-5 by Almir Hodzic
CVE-2026-42202

6.5MEDIUM

Key Information:

Vendor: Almirhodzic
Status: Nova-toggle-5
Vendor: CVE Published:; 8 May 2026

🔔 Create Almirhodzic Vulnerability Alert

What is CVE-2026-42202?

The nova-toggle-5 package prior to version 1.3.0 allows authenticated users to exploit the toggle endpoint without proper authorization controls. This vulnerability permits any user with access to the configured authentication guard to manipulate boolean attributes on various Nova resources, including potential unauthorized access by frontend customers. Additionally, the endpoint's design allows arbitrary attribute parameters, enabling manipulation beyond intended toggle fields, potentially exposing sensitive data and functions within the application. The issue has been addressed in version 1.3.0.

Affected Version(s)

nova-toggle-5 < 1.3.0

References

https://github.com/almirhodzic/nova-toggle-5/security/adv...

x_refsource_CONFIRM

https://github.com/almirhodzic/nova-toggle-5/releases/tag...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42202 Data

JSON