An incorrect authorization logic in ash-project's Ash framework lets a caller authenticate without proper credentials. The flaw resides in the policy evaluation code in lib/ash/policy/policy.ex and the function Elixir.Ash.Policy.Policy.expr/2, causing the system to treat an unauthorized request as authorized when the bypass policy condition evaluates to true. An attacker who can trigger this path could gain access to protected resources or elevate privileges, leading to a full compromise of confidentiality and integrity on the affected servers.

The vulnerability affects the ash conductor component for all versions of ash from pkg:hex/ash@3.6.3 up to but not including pkg:hex/ash@3.7.1. Earlier releases before commit 8b83efa225f657bfc3656ad8ee8485f9b2de923d are also impacted. The impacted product is the Ash framework maintained by the ash-project; systems running any of these versions should treat the application as vulnerable.

The CVSS score of 8.6 reflects the high impact, yet the EPSS score of < 1% indicates a low current likelihood of exploitation in the wild. The issue is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is an in-application trigger that evaluates a policy condition; once triggered, it permits a bypass of authentication without user interaction, making the vulnerability valuable to attackers.