Description
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.

The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.

This issue affects oban_web: from 2.12.0 before 2.12.5.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The oban_web framework contains a missing authorization check in the Elixir.Oban.Web.Jobs.DetailComponent module when processing the "save-job" LiveView event. This omission allows an authenticated user with only :read_only privileges to override the worker module field of an existing job by sending a forged WebSocket event. The result is that the job will later execute code from the attacker‑chosen worker instead of the intended module, potentially exposing business logic or sensitive data. This flaw is a classic instance of CWE‑862: Missing Authorization.

Affected Systems

Affected deployments are those running oban_web 2.12.0 through, but not including, 2.12.5. The vulnerability is vendor‑specific to the oban-bg oban_web project and does not impact other versions or unrelated software.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, yet the ability to replace a job worker with arbitrary code control remains a non‑trivial risk. The likely attack vector requires a network‑bound attacker who can access the LiveView WebSocket and an authenticated account, such as a read‑only user, to craft the malicious event. Consequently, organizations should treat this as a moderate‑risk vulnerability with potential to subvert scheduled background work.

Generated by OpenCVE AI on May 26, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update oban_web to version 2.12.5 or later, which adds a required authorization check on the save‑job handler.
  • Review LiveView user access controls and ensure that only users with appropriate privileges can trigger job modification events; consider revoking read‑only rights from users that should not be able to alter jobs.
  • If an immediate upgrade is not feasible, temporarily disable the save‑job event or enforce server‑side validation to reject unauthorized modification requests until a patch can be applied.

Generated by OpenCVE AI on May 26, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5.
Title Missing authorization check on save-job event handler in oban_web
First Time appeared Oban Web Project
Oban Web Project oban Web
Weaknesses CWE-862
CPEs cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*
Vendors & Products Oban Web Project
Oban Web Project oban Web
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Oban Web Project Oban Web
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-26T20:46:50.037Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48592

cve-icon Vulnrichment

Updated: 2026-05-26T20:46:47.428Z

cve-icon NVD

Status : Received

Published: 2026-05-26T21:16:41.707

Modified: 2026-05-26T21:16:41.707

Link: CVE-2026-48592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses