Filament’s AttachAction and AssociateAction use a recordSelectOptionsQuery method to limit selectable options, but the built‑in validation rule did not apply the same scope. A user who can trigger these actions may manipulate the Livewire component’s state to submit values that fall outside the intended selection set, allowing them to reference or modify records they should not have access to. This can compromise data integrity and privacy by enabling unauthorized data manipulation or retrieval.

The vulnerability affects the filamentphp:filament package. Specifically, the issue exists in filament/actions versions 4.0.0 through 4.11.4 and 5.6.4, and in filament/tables versions 3.0.0 through 3.3.51. Any Laravel application that includes these package versions and exposes the AttachAction or AssociateAction is potentially affected.

The CVSS score of 6.5 classifies the risk as medium. The EPSS score is not available, but the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation yet. The attack vector appears to be through the application layer, where an authenticated or privileged user can trigger the action and submit manipulated input. Because the validation flaw allows out‑of‑scope values, an attacker can execute actions on records they normally cannot access, resulting in an authorization bypass. Timely patching mitigates this risk, while failure to upgrade maintains the vulnerability’s medium severity.