Jul 8, 2026·5 min read·4 visits
An authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.
Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.
Code16 Sharp is an administrative content management framework designed as an extension package for Laravel applications. The framework exposes a comprehensive API-driven suite of features, including list views, detail pages, and command-driven forms. Among these is the Quick Creation Command capability, which enables developers to integrate contextual addition forms directly into list components.
The vulnerability designated as CVE-2026-53634 resides in the handling controller of the Quick Creation Command feature. The routes configured for administrative interactions were exposed to authenticated web clients without adequate access verification against underlying model policies. The lack of restrictive controls allows an unauthorized user to directly query administrative functions.
Any low-privileged authenticated application user with active panel sessions can access these administrative endpoints. If the associated entity is configured with a Quick Creation handler, the platform executes incoming creation requests or returns schema documents. This action completely bypasses role-based restrictions on entity-level creation actions.
The root cause of the vulnerability is classified under CWE-862: Missing Authorization. The vulnerable entry points are handled within the ApiEntityListQuickCreationCommandController class. This controller exposes the endpoints used to request the Quick Creation form configuration and persist data.
Prior to version 9.22.3, the controller's create and store methods did not execute any verification against the Sharp authorization manager. While other controllers in the framework validate actions against defined policy rules, these methods completely omitted policy authorization calls. The logic transitioned directly from parsing URL parameters to schema generation and DB persistence.
The vulnerability is triggered because the endpoints accept an arbitrary $entityKey parameter and read the request parameters without validating the permissions of the current session owner. The session requires validation, but the level of privileges on the associated user is not checked. This logical hole permits authenticated cross-entity modifications.
An analysis of the remediation patch implemented in commit aa18a85fd8fef830988a336cad2278986729d21a highlights the authorization gap. The patch inserts validation routines at the start of both incoming request pathways within the controller.
Below is the comparative difference illustrating the added protection layer within ApiEntityListQuickCreationCommandController.php:
// Prior to version 9.22.3, the endpoints processed requests without checks:
public function create(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey)
{
$entity = $this->entityManager->entityFor($entityKey);
$list = $entity->getListOrFail();
// ... returns configuration directly
}
// In version 9.22.3, authorization validation was added:
public function create(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey)
{
// Added critical permission check matching current user against the entity policies
$this->authorizationManager->check('create', $entityKey);
$entity = $this->entityManager->entityFor($entityKey);
$list = $entity->getListOrFail();
// ...
}The implementation enforces standard policy validation using $this->authorizationManager->check('create', $entityKey). However, security teams should observe that validation operates against $entityKey (the primary container entity) rather than $formEntityKey (the entity being created). If policy configurations between these related elements diverge, a risk of logical bypass might still exist within custom implementations.
Exploitation of CVE-2026-53634 requires an active authenticated session on the application's admin panel. The vulnerability does not require special administrative privileges; standard user credentials are sufficient.
To retrieve a restricted form schema, the attacker issues a direct HTTP GET request targeting the quick-creation-form route. This action leaks structural validation definitions and administrative fields. The following HTTP mock demonstrates this request structure:
GET /sharp/api/list/command/quick-creation-form/create?entityKey=restricted_entity&formEntityKey=restricted_entity HTTP/1.1
Host: target-app.local
Cookie: laravel_session=eyJpdiI6Ik... [VALID LOWER-PRIVILEGE SESSION]
Accept: application/jsonTo insert unauthorized data, the attacker submits a direct POST request carrying the target parameters. The endpoint parses the input payload and populates the database using the internal handler, bypassing security policies:
POST /sharp/api/list/command/quick-creation-form/create?entityKey=restricted_entity&formEntityKey=restricted_entity HTTP/1.1
Host: target-app.local
Cookie: laravel_session=eyJpdiI6Ik...
Content-Type: application/json
{
"restricted_field_name": "malicious_data_payload",
"active_status": true
}The target application processes the JSON data and responds with a success status, completing the unauthorized persistence action.
The CVSS Base Score of 4.3 signifies a Medium Severity impact. The attack complexity is minimal (AC:L) and requires network connectivity (AV:N), but exploitation requires a valid low-level authenticated credential (PR:L).
The vulnerability does not facilitate remote code execution (RCE) or sensitive data extraction beyond form structural layouts. Instead, the risk is concentrated around unauthorized write actions on backend data structures. This bypass compromises the integrity of target records and leads to data pollution or logic manipulation.
Currently, threat intelligence reports indicate no known exploitation in the wild. The EPSS score remains low at 0.00213, placing the exploit probability inside the bottom percentile. Despite this, administrative panels containing sensitive configuration options remain high-priority cleanup targets.
The primary mitigation action is upgrading the Code16 Sharp dependency to version 9.22.3 or later. This can be executed using the Composer package manager.
Run the following command in the application's root directory:
composer update code16/sharpDevelopers can implement the following unit test structure to verify that the fix is applied and functioning correctly within their environments:
it('verifies authorization restrictions for quick creation configurations', function () {
// Setup an entity with prohibited 'create' actions
app(SharpEntityManager::class)
->entityFor('restricted_entity')
->setProhibitedActions(['create']);
// Send GET request and assert forbidden status
$this->getJson(route('code16.sharp.api.list.command.quick-creation-form.create', [
'entityKey' => 'restricted_entity',
'formEntityKey' => 'restricted_entity',
]))->assertForbidden();
// Send POST request and assert forbidden status
$this->postJson(route('code16.sharp.api.list.command.quick-creation-form.create', [
'entityKey' => 'restricted_entity',
'formEntityKey' => 'restricted_entity',
]))->assertForbidden();
});Web application firewall (WAF) or SIEM logging rules should monitor requests containing the endpoint path /sharp/api/list/command/quick-creation-form/create from general user sessions. Frequent successes (HTTP status 200/201) from unauthorized roles indicate an unpatched vulnerability.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Code16 Sharp Code16 | >= 9.0.0, < 9.22.3 | 9.22.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-862 |
| Attack Vector | Network (AV:N) |
| CVSS Base Score | 4.3 (Medium) |
| EPSS Score | 0.00213 |
| Impact | Low Integrity Impact (Privilege Escalation) |
| Exploit Status | Proof of Concept and patch details available, no active exploitation in the wild |
| KEV Status | Not Listed |
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.
The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.
A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.
Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.
CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.