Cross-User Attribute Leak in API Platform Core by API Platform
CVE-2026-49858
5.9MEDIUM
What is CVE-2026-49858?
A vulnerability in the API Platform Core allows for a cross-user attribute leak due to a missing isCacheKeySafe gate in its JSON:API and HAL item normalizers. This issue arises in versions ranging from 2.6.0 to those prior to 4.1.29, 4.2.26, and 4.3.12. The flaw enables a user with lower privileges to inadvertently view attributes and structures that should be secured by the security predicates in place. The cache used for normalizing responses does not properly segregate data based on user permissions, leading to potential exposure of sensitive information across different user sessions.
Affected Version(s)
api-platform/hal >= 2.6.0, < 4.1.29 < 2.6.0, 4.1.29
api-platform/hal >= 4.2.0, < 4.2.25 < 4.2.0, 4.2.25
api-platform/hal >= 4.3.0, < 4.3.8 < 4.3.0, 4.3.8
