l3montree-dev devguard up to 1.4.1 DevGuard API vex.json improper authorization

Summaryinfo

A vulnerability has been found in l3montree-dev devguard up to 1.4.1 and classified as critical. Impacted is an unknown function of the file vex.json of the component DevGuard API. This manipulation causes improper authorization. This vulnerability is tracked as CVE-2026-48089. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability has been found in l3montree-dev devguard up to 1.4.1 and classified as critical. Affected by this vulnerability is an unknown part of the file vex.json of the component DevGuard API. The manipulation with an unknown input leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-48089 since 05/20/2026. The exploitation appears to be easy. The attack can be launched remotely. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1548.002 according to MITRE ATT&CK.

By approaching the search of inurl:vex.json it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 1.4.2 eliminates this vulnerability. Applying the patch 1be88ec1309a5dc0566e35a23bdc4ea3ecd11417 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-38076). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• l3montree-dev

Name

• devguard

Version

• 1.4.0
• 1.4.1

License

• open-source

Website

• Product: https://github.com/l3montree-dev/devguard/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion