Description
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
Published: 2026-07-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing safety gate in the JSON:API and HAL item normalizers of API Platform Core allows the componentsCache arrays to key that is not ensured to be safe. As a result, the attribute, relationship, and link structure produced for one request can be reused for a subsequent request that belongs. The security predicates defined with #[ApiProperty(security: ...)] are evaluated per request to decide whether a field should be exposed. Because the cache is shared across users, a user with lower privileges may see the structure of properties that the security check would otherwise hide. This leads to an accidental disclosure of information and matches CWE-524 (Information Leakage) and CWE-639 (Controlled Key).

Affected Systems

API Platform packages api-platform/hal, api-platform/json-api, and api-platform/core are affected when running from version 2.6.0 up to 4.1.28 inclusive, from 4.2.0 up to 4.2.25 inclusive, and from 4.3.0 up to 4.3.11 inclusive. The fix is already applied in releases 4.1.29, 4.2.26, and 4.3.12 respectively.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate risk. The EPSS score is < 1%, indicating a very low but non‑zero likelihood of exploitation. The attack does not require a public exploit; an attacker who can make API requests on behalf of two distinct users can trigger the normalizers for each user, causing the cached attribute structure to be reused. The attack vector is inferred to be direct API calls that invoke the affected normalizers, targeting endpoints that expose user data. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on July 2, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed release – upgrade to 4.1.29, 4.2.26, or 4.3.12 depending on your current major version.
  • If an immediate upgrade is not feasible, clear or disable the componentCache used by the JSON:API and HAL item normalizers between requests to stop reuse of cached attribute structures.
  • After applying the patch or cache mitigation, validate that API responses for users at different privilege levels do not reveal attributes that should be hidden by the security predicates.

Generated by OpenCVE AI on July 2, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
Title API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
Weaknesses CWE-524
CWE-639
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-02T12:20:09.370Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49858

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:45:16Z

Weaknesses
  • CWE-524

    Use of Cache Containing Sensitive Information

  • CWE-639

    Authorization Bypass Through User-Controlled Key