Unauthorized Access Vulnerability in Avo Framework for Ruby on Rails Apps
CVE-2026-55518

9.6CRITICAL

Key Information:

Vendor

Avo-hq

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-55518?

The Avo framework for Ruby on Rails applications contains a vulnerability that allows low-privileged authenticated users to bypass parent record controls. Specifically, the authorization checks that are enforced in the user interface and certain GET requests are not consistently applied to the POST endpoint responsible for modifying associations. This inconsistency can lead to unauthorized data manipulation, allowing users to attach unrelated records without proper verification, potentially resulting in privilege escalation and exposure of sensitive data. The issue has been addressed in versions 3.32.1 and 4.0.0.beta.51, reinforcing the need for users to update their installations promptly.

Affected Version(s)

avo >= 4.0.0.beta.1, < 4.0.0.beta.51 < 4.0.0.beta.1, 4.0.0.beta.51

avo < 3.32.1 < 3.32.1

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.