Unauthorized Access Vulnerability in Avo Framework for Ruby on Rails Apps
CVE-2026-55518
What is CVE-2026-55518?
The Avo framework for Ruby on Rails applications contains a vulnerability that allows low-privileged authenticated users to bypass parent record controls. Specifically, the authorization checks that are enforced in the user interface and certain GET requests are not consistently applied to the POST endpoint responsible for modifying associations. This inconsistency can lead to unauthorized data manipulation, allowing users to attach unrelated records without proper verification, potentially resulting in privilege escalation and exposure of sensitive data. The issue has been addressed in versions 3.32.1 and 4.0.0.beta.51, reinforcing the need for users to update their installations promptly.
Affected Version(s)
avo >= 4.0.0.beta.1, < 4.0.0.beta.51 < 4.0.0.beta.1, 4.0.0.beta.51
avo < 3.32.1 < 3.32.1
