Access Control Flaw in DevGuard API for Public Assets
CVE-2026-48089

7.1HIGH

Key Information:

Vendor: L3montree-dev
Status: Devguard
Vendor: CVE Published:; 19 June 2026

🔔 Create L3montree-dev Vulnerability Alert

What is CVE-2026-48089?

The DevGuard API prior to version 1.4.2 suffers from an access control vulnerability that allows any authenticated user, regardless of organization affiliation, to manage VEX rules on public assets. This includes creating, updating, deleting, and reapplying rules, which can severely compromise asset integrity and risk management processes. This flaw also affects other write endpoints related to vulnerability triage for public assets. The issue exists in the access permissions, where no specific membership or role in the target organization is needed, posing significant security risks. A patch has been introduced in version 1.4.2, and users are advised to change the visibility of affected assets to private to prevent unauthorized access until the patch is applied.

Affected Version(s)

devguard < 1.4.2

References

https://github.com/l3montree-dev/devguard/security/adviso...

x_refsource_CONFIRM

https://github.com/l3montree-dev/devguard/commit/1be88ec1...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48089 Data

JSON