Permission Bypass in Elide by Yahoo Affecting Data Sort Expression
CVE-2026-57954

5.3MEDIUM

Key Information:

Vendor: Yahoo
Status: Elide
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57954?

Elide versions up to 7.1.17 exhibit a vulnerability where the system fails to enforce appropriate read permissions on client-supplied sorting expressions in the SortingImpl.getValidSortingRules function. This oversight permits attackers to manipulate the sorting of collections by using forbidden fields. Consequently, they can deduce hidden field values through techniques such as row ordering analysis, leading to potential leaks of sensitive data across all rows via both JSON:API and GraphQL endpoints.

Affected Version(s)

elide 0 <= 7.1.17

References

https://github.com/yahoo/elide/issues/3415

issue-tracking

https://www.vulncheck.com/advisories/elide-permission-byp...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

George Chen

CVE-2026-57954 Data

JSON