Description
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity.

The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.
Published: 2026-06-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cerebrate versions prior to 1.37 permitted an attacker to include a primary key id in a CRUD edit request, and if the target entity did not explicitly block write access to the id field, the save operation updated the record whose id matched the supplied value rather than the record identified by the route parameter. This mass‑assignment flaw (CWE‑639) allows a legitimate user to modify any writable fields of another record, potentially altering permissions, settings or other sensitive data and thereby compromising data integrity.

Affected Systems

The flaw exists in the cerebrate:cerebrate application up to and including version 1.36. It affects several entity types inheriting permissive mass‑assignment defaults such as User, Role, UserSetting, LocalTool, PermissionLimitation and EnumerationCollection, all of which are accessible to authenticated users through edit or patch endpoints.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score is not available, suggesting limited publicly observed exploitation. Cerebrate is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user who can reach the vulnerable endpoints; no elevated privileges are required. When a crafted edit payload containing another record’s id is submitted, the server updates that record, resulting in unauthorized data modification. Given the moderate score and lack of widespread attacks, the threat is considered moderate but not negligible.

Generated by OpenCVE AI on June 11, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cerebrate to version 1.37 or later, which strips id from request input and globally marks it inaccessible
  • Configure all affected entity models to mark the id field as inaccessible, thereby disabling mass assignment of the primary key
  • Restrict the edit and patch endpoints to only authorized users with appropriate roles and monitor logs for suspicious activity

Generated by OpenCVE AI on June 11, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity. The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.
Title Cerebrate primary key mass assignment in CRUD edit operations allows authenticated users to overwrite unrelated records
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-11T09:41:46.124Z

Reserved: 2026-06-11T09:41:25.932Z

Link: CVE-2026-53911

cve-icon Vulnrichment

Updated: 2026-06-11T12:43:13.371Z

cve-icon NVD

Status : Received

Published: 2026-06-11T10:16:21.757

Modified: 2026-06-11T10:16:21.757

Link: CVE-2026-53911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key