Authorization Flaw in Oban Web by Oban BG Allows Job Worker Substitution
CVE-2026-48592

5.3MEDIUM

Key Information:

Vendor: Oban-bg
Status: Oban Web
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-48592?

A missing authorization vulnerability in the Oban Web application allows authenticated users with read-only access to compromise job worker functions. The affected handler, handle_event('save-job', ...), fails to check the caller's privileges, enabling an attacker to send a forged LiveView WebSocket event. This substitutes the specified job's worker field with any existing Oban.Worker module. As a result, during the next job execution, the Oban framework executes the attacker's chosen module instead of the intended one, posing significant risks to application integrity.

Affected Version(s)

oban_web 2.12.0 < 2.12.5

oban_web a17bc8c31286c9d516e2892cf5483d1c95e65d6c

References

https://github.com/oban-bg/oban_web/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48592.html

https://osv.dev/vulnerability/EEF-CVE-2026-48592

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Parker Selbert

Jonatan Männchen

CVE-2026-48592 Data

JSON

Oban-bg

What is CVE-2026-48592?

Affected Version(s)

References

CVSS V4

Timeline

Credit