Cross-User Attribute Leak in API Platform Core by API Platform
CVE-2026-49858

5.9MEDIUM

Key Information:

Vendor
CVE Published:
1 July 2026

What is CVE-2026-49858?

A vulnerability in the API Platform Core allows for a cross-user attribute leak due to a missing isCacheKeySafe gate in its JSON:API and HAL item normalizers. This issue arises in versions ranging from 2.6.0 to those prior to 4.1.29, 4.2.26, and 4.3.12. The flaw enables a user with lower privileges to inadvertently view attributes and structures that should be secured by the security predicates in place. The cache used for normalizing responses does not properly segregate data based on user permissions, leading to potential exposure of sensitive information across different user sessions.

Affected Version(s)

api-platform/hal >= 2.6.0, < 4.1.29 < 2.6.0, 4.1.29

api-platform/hal >= 4.2.0, < 4.2.25 < 4.2.0, 4.2.25

api-platform/hal >= 4.3.0, < 4.3.8 < 4.3.0, 4.3.8

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.