CVE-2026-42202 - Vulnerability Details

Description

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.

Published: 2026-05-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw exists because the toggle endpoint is protected only by generic authentication middleware. Any authenticated user on the configured guard can POST to the endpoint and flip boolean attributes on any Nova resource, including resources the caller should not have access to. The endpoint also accepts arbitrary attribute names, allowing a valid caller to toggle any boolean column in the underlying database. The issue was fixed in version 1.3.0.

Affected Systems

The vulnerability affects applications that incorporate the nova-toggle-5 package from almirhodzic prior to release v1.3.0. The package exposes a POST route at /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}. Any deployment using this package without upgrading is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate‐to‑high severity. The EPSS score is not available and the vulnerability is not in CISA KEV. Because the attacker only needs an authenticated session that satisfies the guard used for Nova, the attack vector is web-based and readily exploitable. The lack of fine‑grained authorization therefore makes the flaw a significant risk for any system that exposes Nova to shared or non‑admin user pools.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

almirhodzic

nova-toggle-5

affected

Version	Status	Constraints
`< 1.3.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade nova-toggle-5 to version 1.3.0 or later, which implements proper authorization checks for the toggle endpoint.
Configure the guard used for Nova so that only administrative users can authenticate against it, preventing ordinary users from reaching the toggle route.
Add explicit permission checks (e.g., Laravel gates or policies) around the toggle action to verify that the caller has rights to modify the specific Nova resource before allowing the operation.

Generated by OpenCVE AI on May 8, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f5c8-m5vw-rmgq	nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0
https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq

History

Fri, 08 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.
Title		nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Weaknesses		CWE-285
References		https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0 https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T21:18:58.593Z

Updated: 2026-05-08T21:18:58.593Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42202

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T22:16:31.683

Modified: 2026-05-08T22:16:31.683

Link: CVE-2026-42202

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object