Description
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In DevGuard prior to version 1.4.2, authenticated users who are not members of an organization, project, or asset can create, update, reapply, or delete VEX rules and perform various vulnerability‑triage write operations on public assets. This flaw allows a malicious user to alter security information such as rules, dependency‑vulnerability events, license risks, and artifact metadata, potentially falsifying the organization’s vulnerability posture. The weakness is an authorization bypass (CWE‑285) compounded by improper role handling (CWE‑863).

Affected Systems

The affected product is DevGuard from l3montree-dev. All releases older than v1.4.2 are vulnerable, regardless of deployment size or environment. No specific platform or operating system limitations are noted.

Risk and Exploitability

The CVSS score of 7.1 categorizes this vulnerability as high severity, and its EPSS score is not available, though it is not currently listed in the CISA KEV catalog. An attacker only needs a valid user account on the instance; no membership or special privileges are required. The vulnerability can be exploited over the network by any authenticated user, making it a low‑barrier threat to any public asset exposed by DevGuard.

Generated by OpenCVE AI on June 19, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DevGuard to version 1.4.2 or later to apply the official fix.
  • If an upgrade is not yet possible, change the visibility of the affected assets from public to private in the asset settings; this removes the public‑read exemption and restores correct authorization on all write endpoints for that asset.
  • For downstream consumers that depend on the public VEX or SBOM endpoints, either grant them explicit access to the private assets or provide them with exported file versions until the patched release is deployed.

Generated by OpenCVE AI on June 19, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6p54-fw2f-q7gf DevGuard has improper authorization on public assets
History

Fri, 19 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared L3montree-dev
L3montree-dev devguard
Vendors & Products L3montree-dev
L3montree-dev devguard

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.
Title DevGuard has improper authorization on public assets
Weaknesses CWE-285
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N'}

Subscriptions

L3montree-dev Devguard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:38:04.175Z

Reserved: 2026-05-20T18:40:45.833Z

Link: CVE-2026-48089

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:15:03Z

Weaknesses