CVE-2026-53901 - Vulnerability Details

- Cerebrate before v1.37 allows mass assignment of record identifiers during object creation

Description

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled.

Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.

Published: 2026-06-11

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Cerebrate before version 1.37 contains a mass‑assignment flaw in the generic CRUD add handler. The code removes an attacker‑supplied id from the request parameters, then normalizes the input; however, the normalized input can still contain an id field. This allows a user who can reach the vulnerable add endpoint to create new objects with identifiers of their choosing. Successful exploitation can lead to unauthorized object creation, data manipulation, spoofing of existing records, and possible disruption caused by identifier collisions.

Affected Systems

Cerebrate, all releases earlier than 1.37. No version numbers are provided beyond this upper bound; users should verify they are running a version 1.37 or higher to avoid the issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting that while the probability of exploitation is unknown, the potential impact is significant. The likely attack vector is an HTTP request to a publicly or otherwise exposed CRUD add endpoint; the attacker needs permission to reach that endpoint but does not require elevated privileges to cause the problem.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cerebrate

unaffected

Version	Status	Constraints
`0`	affected	< 1.37

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cerebrate to version 1.37 or later
If an upgrade is not immediately possible, restrict write access to the affected add endpoints so only trusted, authenticated users can create new objects
Configure the application to explicitly reject any id field in incoming requests during object creation

Generated by OpenCVE AI on June 11, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/cerebrate-project/cerebrate/commit/aff1ca707c8f926d00cda3deb39ff9bf59cdf18e

History

Thu, 11 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.
Title		Cerebrate before v1.37 allows mass assignment of record identifiers during object creation
Weaknesses		CWE-20
References		https://github.com/cerebrate-project/cerebrate/commit/aff1ca707c8f926d00cda3deb39ff9bf59cdf18e
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/U:Amber'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-11T07:31:37.630Z

Updated: 2026-06-11T07:31:37.630Z

Reserved: 2026-06-11T07:30:42.737Z

Link: CVE-2026-53901

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-11T09:16:25.763

Modified: 2026-06-11T09:16:25.763

Link: CVE-2026-53901

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T09:30:11Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object