Description
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.
Published: 2026-05-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can trigger any Action class within the Avo framework, regardless of whether that action is registered for the target resource. This insecure lookup bypass places privilege escalation in the hands of attackers, enabling them to manipulate data across the application. The flaw stems from broken access control in the ActionsController.

Affected Systems

Avo framework version 3.31.1 and earlier used in Ruby on Rails projects. Since the issue was fixed in version 3.31.2, all installations running a prior version are affected.

Risk and Exploitability

The CVSS score of 8.8 places the vulnerability in the high range, and its exploitability requires only that the attacker has a valid authenticated session. With no EPSS data and no KEV listing, the broader risk depends on the security posture of the application, but the potential for unauthorized data manipulation across the entire app makes it a significant concern.

Generated by OpenCVE AI on May 8, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Avo framework to version 3.31.2 or later.
  • Add explicit permission checks in custom Action classes to restrict execution to authorized roles.
  • Audit existing Action classes to ensure no unauthorized actions can be invoked by users.

Generated by OpenCVE AI on May 8, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qc5p-3mg5-9fh8 Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
History

Fri, 08 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Avo Hq
Avo Hq avo
Vendors & Products Avo Hq
Avo Hq avo

Fri, 08 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.
Title Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Avo Hq Avo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:26:44.743Z

Reserved: 2026-04-25T05:04:37.027Z

Link: CVE-2026-42205

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:31.820

Modified: 2026-05-08T22:16:31.820

Link: CVE-2026-42205

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:15:20Z

Weaknesses