CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-53634

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Alon Barad
Alon Barad
Software Engineer

Jul 8, 2026·5 min read·4 visits

Executive Summary (TL;DR)

An authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Vulnerability Overview

Code16 Sharp is an administrative content management framework designed as an extension package for Laravel applications. The framework exposes a comprehensive API-driven suite of features, including list views, detail pages, and command-driven forms. Among these is the Quick Creation Command capability, which enables developers to integrate contextual addition forms directly into list components.

The vulnerability designated as CVE-2026-53634 resides in the handling controller of the Quick Creation Command feature. The routes configured for administrative interactions were exposed to authenticated web clients without adequate access verification against underlying model policies. The lack of restrictive controls allows an unauthorized user to directly query administrative functions.

Any low-privileged authenticated application user with active panel sessions can access these administrative endpoints. If the associated entity is configured with a Quick Creation handler, the platform executes incoming creation requests or returns schema documents. This action completely bypasses role-based restrictions on entity-level creation actions.

Root Cause Analysis

The root cause of the vulnerability is classified under CWE-862: Missing Authorization. The vulnerable entry points are handled within the ApiEntityListQuickCreationCommandController class. This controller exposes the endpoints used to request the Quick Creation form configuration and persist data.

Prior to version 9.22.3, the controller's create and store methods did not execute any verification against the Sharp authorization manager. While other controllers in the framework validate actions against defined policy rules, these methods completely omitted policy authorization calls. The logic transitioned directly from parsing URL parameters to schema generation and DB persistence.

The vulnerability is triggered because the endpoints accept an arbitrary $entityKey parameter and read the request parameters without validating the permissions of the current session owner. The session requires validation, but the level of privileges on the associated user is not checked. This logical hole permits authenticated cross-entity modifications.

Code Analysis & Flow Visualization

An analysis of the remediation patch implemented in commit aa18a85fd8fef830988a336cad2278986729d21a highlights the authorization gap. The patch inserts validation routines at the start of both incoming request pathways within the controller.

Below is the comparative difference illustrating the added protection layer within ApiEntityListQuickCreationCommandController.php:

// Prior to version 9.22.3, the endpoints processed requests without checks:
public function create(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey)
{
    $entity = $this->entityManager->entityFor($entityKey);
    $list = $entity->getListOrFail();
    // ... returns configuration directly
}
 
// In version 9.22.3, authorization validation was added:
public function create(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey)
{
    // Added critical permission check matching current user against the entity policies
    $this->authorizationManager->check('create', $entityKey);
 
    $entity = $this->entityManager->entityFor($entityKey);
    $list = $entity->getListOrFail();
    // ...
}

The implementation enforces standard policy validation using $this->authorizationManager->check('create', $entityKey). However, security teams should observe that validation operates against $entityKey (the primary container entity) rather than $formEntityKey (the entity being created). If policy configurations between these related elements diverge, a risk of logical bypass might still exist within custom implementations.

Exploitation Methodology

Exploitation of CVE-2026-53634 requires an active authenticated session on the application's admin panel. The vulnerability does not require special administrative privileges; standard user credentials are sufficient.

To retrieve a restricted form schema, the attacker issues a direct HTTP GET request targeting the quick-creation-form route. This action leaks structural validation definitions and administrative fields. The following HTTP mock demonstrates this request structure:

GET /sharp/api/list/command/quick-creation-form/create?entityKey=restricted_entity&formEntityKey=restricted_entity HTTP/1.1
Host: target-app.local
Cookie: laravel_session=eyJpdiI6Ik... [VALID LOWER-PRIVILEGE SESSION]
Accept: application/json

To insert unauthorized data, the attacker submits a direct POST request carrying the target parameters. The endpoint parses the input payload and populates the database using the internal handler, bypassing security policies:

POST /sharp/api/list/command/quick-creation-form/create?entityKey=restricted_entity&formEntityKey=restricted_entity HTTP/1.1
Host: target-app.local
Cookie: laravel_session=eyJpdiI6Ik...
Content-Type: application/json
 
{
  "restricted_field_name": "malicious_data_payload",
  "active_status": true
}

The target application processes the JSON data and responds with a success status, completing the unauthorized persistence action.

Impact Assessment

The CVSS Base Score of 4.3 signifies a Medium Severity impact. The attack complexity is minimal (AC:L) and requires network connectivity (AV:N), but exploitation requires a valid low-level authenticated credential (PR:L).

The vulnerability does not facilitate remote code execution (RCE) or sensitive data extraction beyond form structural layouts. Instead, the risk is concentrated around unauthorized write actions on backend data structures. This bypass compromises the integrity of target records and leads to data pollution or logic manipulation.

Currently, threat intelligence reports indicate no known exploitation in the wild. The EPSS score remains low at 0.00213, placing the exploit probability inside the bottom percentile. Despite this, administrative panels containing sensitive configuration options remain high-priority cleanup targets.

Remediation & Testing Guidance

The primary mitigation action is upgrading the Code16 Sharp dependency to version 9.22.3 or later. This can be executed using the Composer package manager.

Run the following command in the application's root directory:

composer update code16/sharp

Developers can implement the following unit test structure to verify that the fix is applied and functioning correctly within their environments:

it('verifies authorization restrictions for quick creation configurations', function () {
    // Setup an entity with prohibited 'create' actions
    app(SharpEntityManager::class)
        ->entityFor('restricted_entity')
        ->setProhibitedActions(['create']);
 
    // Send GET request and assert forbidden status
    $this->getJson(route('code16.sharp.api.list.command.quick-creation-form.create', [
        'entityKey' => 'restricted_entity',
        'formEntityKey' => 'restricted_entity',
    ]))->assertForbidden();
 
    // Send POST request and assert forbidden status
    $this->postJson(route('code16.sharp.api.list.command.quick-creation-form.create', [
        'entityKey' => 'restricted_entity',
        'formEntityKey' => 'restricted_entity',
    ]))->assertForbidden();
});

Web application firewall (WAF) or SIEM logging rules should monitor requests containing the endpoint path /sharp/api/list/command/quick-creation-form/create from general user sessions. Frequent successes (HTTP status 200/201) from unauthorized roles indicate an unpatched vulnerability.

Official Patches

Code16GHSA Security Advisory
Code16Official Release Patch

Fix Analysis (1)

Technical Appendix

CVSS Score
4.3/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Probability
0.21%
Top 88% most exploited

Affected Systems

Code16 Sharp

Affected Versions Detail

Product
Affected Versions
Fixed Version
Code16 Sharp
Code16
>= 9.0.0, < 9.22.39.22.3
AttributeDetail
CWE IDCWE-862
Attack VectorNetwork (AV:N)
CVSS Base Score4.3 (Medium)
EPSS Score0.00213
ImpactLow Integrity Impact (Privilege Escalation)
Exploit StatusProof of Concept and patch details available, no active exploitation in the wild
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-862
Missing Authorization

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Vulnerability Timeline

Security patch committed and version 9.22.3 released.
2026-06-01
GHSA advisory and CVE-2026-53634 published.
2026-06-10

References & Sources

  • [1]NVD - CVE-2026-53634 Detail
  • [2]GitHub Security Advisory - GHSA-vmwx-m75v-qvch
  • [3]GitHub Pull Request 729
  • [4]Fix Commit aa18a85fd8fef830988a336cad2278986729d21a

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•CVE-2026-49471
8.3

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Alon Barad
Alon Barad
8 views•5 min read
•about 3 hours ago•GHSA-MXWC-WH95-PW4G
5.3

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 4 hours ago•GHSA-Q95X-7G78-RCCV
6.3

GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate

A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 17 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
76 views•5 min read
•about 17 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
26 views•6 min read
•about 22 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read