Description
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elide up to version 7.1.17 does not enforce the @ReadPermission annotation on client‑supplied sort expressions evaluated in SortingImpl.getValidSortingRules. When a malicious user supplies a sort parameter that includes a field they lack read permission for, the framework still sorts the returned collection by that field. This ability to sort on hidden fields enables the attacker to infer the relative ordering of values in that field across all rows, effectively leaking information about the value distribution even though the field is otherwise protected.

Affected Systems

The affected product is Yahoo’s Elide framework, by vendor Yahoo, in all releases up to and including 7.1.17. Users running any of those versions should verify their installation version and plan an upgrade to a later release that addresses this issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity for this vulnerability. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, no current evidence of exploitation exists, but the attack vector is likely an API or GraphQL request that contains a sort parameter. An attacker who can trigger sorting on a restricted field can observe the row ordering to derive relative field values, thereby violating confidentiality for sensitive data hidden by @ReadPermission.

Generated by OpenCVE AI on June 29, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Elide 7.1.18 or later to receive the vendor fix that enforces @ReadPermission on sort expressions.
  • If an immediate upgrade is not possible, configure the application to reject or sanitize sort expressions that target fields lacking read permission, effectively disabling sorting on protected fields.
  • Review and tighten GraphQL and JSON:API access controls to ensure that sorting operations respect @ReadPermission annotations and that no indirect information leakage is possible through row ordering.

Generated by OpenCVE AI on June 29, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
Title Elide 7.1.17 - Permission Bypass in Sort Expression Validation
First Time appeared Elide
Elide elide
Weaknesses CWE-862
CPEs cpe:2.3:a:elide:elide:*:*:*:*:*:*:*:*
Vendors & Products Elide
Elide elide
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T13:41:07.280Z

Reserved: 2026-06-26T13:59:33.048Z

Link: CVE-2026-57954

cve-icon Vulnrichment

Updated: 2026-06-30T13:40:32.860Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:30:06Z

Weaknesses