Type Confusion Vulnerability in API Platform Core by API Platform
CVE-2026-54164

6.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54164?

The API Platform Core is affected by a type confusion vulnerability that occurs in the serializer's AbstractItemNormalizer. This issue arises when resolving relation IRIs, leading to the silent assignment of resources of unintended types to relation properties. Attackers can exploit this vulnerability by submitting write requests to the API with relation IRIs pointing to different resource types than expected. This flaw compromises system invariants and may affect the application logic, particularly when it operates under the assumption of strict type integrity, especially for legacy properties. The problem persists in versions before 4.1.30, 4.2.26, and 4.3.12, where a key operation was bypassed, preventing proper checks within the IriConverter. The vulnerability has been addressed in the specified subsequent versions.

Affected Version(s)

core < 4.1.30 < 4.1.30

core >= 4.2.0, < 4.2.26 < 4.2.0, 4.2.26

core >= 4.3.0, < 4.3.12 < 4.3.0, 4.3.12

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.