Improper Input Handling in Ash Project Affects User Data Integrity
CVE-2026-55736

5.9MEDIUM

Key Information:

Vendor: Ash-project
Status: Ash
Vendor: CVE Published:; 23 June 2026

🔔 Create Ash-project Vulnerability Alert

What is CVE-2026-55736?

The Ash Project contains a vulnerability that allows for improper control of modification of dynamically-determined object attributes. Due to incomplete filtering of user-supplied parameters, an attacker can manipulate private action arguments—initially intended to be set by trusted server-side code. This flaw means that private arguments, which should be internally set only, can be altered through user input when keys are binary (string). Consequently, this can lead to critical integrity violations or privilege escalation, depending on how applications utilize these parameters. This issue affects versions of Ash from 3.0.0 up to, but not including, 3.29.3.

Affected Version(s)

ash 3.0.0 < 3.29.3

ash 5967ed3a483ab949866e6d7b043b043e61703f17

References

https://github.com/ash-project/ash/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-55736.html

https://osv.dev/vulnerability/EEF-CVE-2026-55736

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

Alfred Vié

Zach Daniel

Jonatan Männchen / EEF

CVE-2026-55736 Data

JSON