Type Confusion Vulnerability in API Platform Core by API Platform
CVE-2026-54164
What is CVE-2026-54164?
The API Platform Core is affected by a type confusion vulnerability that occurs in the serializer's AbstractItemNormalizer. This issue arises when resolving relation IRIs, leading to the silent assignment of resources of unintended types to relation properties. Attackers can exploit this vulnerability by submitting write requests to the API with relation IRIs pointing to different resource types than expected. This flaw compromises system invariants and may affect the application logic, particularly when it operates under the assumption of strict type integrity, especially for legacy properties. The problem persists in versions before 4.1.30, 4.2.26, and 4.3.12, where a key operation was bypassed, preventing proper checks within the IriConverter. The vulnerability has been addressed in the specified subsequent versions.
Affected Version(s)
core < 4.1.30 < 4.1.30
core >= 4.2.0, < 4.2.26 < 4.2.0, 4.2.26
core >= 4.3.0, < 4.3.12 < 4.3.0, 4.3.12
