Description
Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2.

This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
Published: 2025-10-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability arises from a flaw in the authorizer module of the Ash framework, where runtime policies that should never pass are incorrectly applied, allowing an attacker to bypass authentication checks. This flaw precisely maps to CWE‑863, highlighting a failure in authorization logic that permits unauthorized users to gain access to protected resources, potentially leading to data exposure or privilege escalation. As the bypass occurs at the authorization layer, the impact is primarily integrity and confidentiality, with the attacker able to act as a legitimate user without proper credentials.

Affected Systems

Glance the Ash framework released before v3.6.2, specifically any installation using the package versions before 3.6.2 or the commit 66d81300065b970da0d2f4528354835d2418c7ae. The vendor is ash‑project and the product in question is the Ash package distributed via Hex.

Risk and Exploitability

The CVSS score of 8.6 signals a high severity vulnerability, yet the EPSS score indicates a very low probability of exploitation at present (<1%). Because the flaw is a pure authorization bypass, an attacker would need to craft requests that trigger the flawed strict_filters logic or exploit unauthenticated endpoints. The issue is not yet present in the CISA KEV catalog, so no known exploit code has been reported publicly. The likely attack vector is inferred to be through exposed API endpoints or custom policy definitions that include impossible filter conditions, enabling the attacker to bypass authentication without additional privileges.

Generated by OpenCVE AI on April 27, 2026 at 23:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ash to version 3.6.2 or newer, which contains the fixed authorizer logic.
  • If a direct upgrade is impossible, apply the patch from commit 66d8130 to restore correct strict_filters behavior.
  • Review custom runtime policies and remove any filters that can never be satisfied, ensuring the authorization checks cannot be bypassed.

Generated by OpenCVE AI on April 27, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r7f-9xpj-jmr7 Ash Framework: Filter authorization misapplies impossible bypass/runtime policies
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 10 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.
Title Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
First Time appeared Ash-project
Ash-project ash
Weaknesses CWE-863
CPEs cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Vendors & Products Ash-project
Ash-project ash
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ash-project Ash
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:40:17.241Z

Reserved: 2025-05-15T08:40:25.455Z

Link: CVE-2025-48043

cve-icon Vulnrichment

Updated: 2025-10-10T16:45:36.055Z

cve-icon NVD

Status : Deferred

Published: 2025-10-10T16:15:52.083

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-48043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses