An incorrect authorization flaw in the ash framework allows certain action hooks to run even when the request is marked as forbidden. The vulnerability affects the bulk create, destroy, and update actions, enabling an attacker to execute unintended operations on collections of resources. This leads to a loss of integrity, as unauthorized bulk changes can be made without proper permission checks, consistent with CWE‑863.

ash-project's ash library is impacted. All releases prior to version 3.5.39, and any builds before the commit 5d1b6a5d00771fd468a509778637527b5218be9a, contain the flaw. This includes every package hosted on hex for those versions. The flaw resides in the files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, and lib/ash/actions/update/bulk.ex.

The CVSS score of 7.1 indicates moderate-to-high severity, while the EPSS score of less than 1% suggests a low likelihood of public exploitation. The vulnerability is not listed in CISA KEV. According to the description, an attacker can trigger forbidden action hooks to perform bulk operations, but the CVE does not specify the exact prerequisites. It is inferred that some level of authentication or privilege may be required, though this inference is not explicitly stated. The attack appears to involve sending requests to an ash-based service, indicating a likely network-based vector, although this inference is not directly supported by the CVE data.