CVE-2026-53634 - Vulnerability Details

Description

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.

Published: 2026-06-10

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user can submit new records or retrieve creation forms without having the required create permission on a Sharp entity. The vulnerability arises because the Quick Creation Command feature does not enforce an authorization check on the create and store endpoints in versions earlier than 9.22.3. This allows an attacker who already authenticates to the system to bypass normal permission controls and create or view data for entities they should not have access to, compromising data integrity and potentially confidentiality.

Affected Systems

The issue affects the Sharp content management framework for Laravel, version 9.0.0 through 9.22.2 inclusive, provided by the vendor code16. Any deployment using these versions without the Update to v9.22.3 is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an authenticated Sharp user who lacks create permissions. Success requires that a Quick Creation Command handler be configured for the target entity. While the flaw does not allow remote code execution or privilege escalation beyond the existing authenticated user, it enables unauthorized data manipulation at a moderate risk level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code16

sharp

affected

Version	Status	Constraints
`>= 9.0.0, < 9.22.3`	affected	—

No data.

Vendor Product Confidence Versions

Code16

Sharp

100%

Version	Status	Scheme	Platform
`[9.0.0,9.22.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Sharp to version 9.22.3 or later; this includes the authorization check for Quick Creation Command endpoints.
If upgrading is not immediately possible, remove or disable the Quick Creation Command handlers for entities that should not be exposed or add middleware that enforces create permissions on the affected routes.
Implement monitoring of creation and form retrieval logs for unauthorized activity and conduct a periodic audit of permissions and routes to detect similar authorization gaps.

Generated by OpenCVE AI on June 10, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a
https://github.com/code16/sharp/pull/729
https://github.com/code16/sharp/releases/tag/v9.22.3
https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch

History

Wed, 10 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code16 Code16 sharp
Vendors & Products		Code16 Code16 sharp

Wed, 10 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.
Title		Sharp: Missing Authorization Check in Quick Creation Command Endpoints
Weaknesses		CWE-862
References		https://github.com/code16/sharp/commit/aa18a85fd8fef830988a336cad2278986729d21a https://github.com/code16/sharp/pull/729 https://github.com/code16/sharp/releases/tag/v9.22.3 https://github.com/code16/sharp/security/advisories/GHSA-vmwx-m75v-qvch
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Code16 Sharp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T20:03:33.950Z

Updated: 2026-06-10T20:03:33.950Z

Reserved: 2026-06-09T20:16:59.647Z

Link: CVE-2026-53634

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:17:01.680

Modified: 2026-06-10T22:17:01.680

Link: CVE-2026-53634

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object