ash-project ash up to 3.29.2 Object Attribute dynamically-determined object attributes

Summaryinfo

A vulnerability was found in ash-project ash up to 3.29.2 and classified as problematic. This issue affects some unknown processing of the component Object Attribute Handler. Such manipulation leads to dynamically-determined object attributes. This vulnerability is uniquely identified as CVE-2026-55736. Local access is required to approach this attack. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in ash-project ash up to 3.29.2 and classified as problematic. Affected by this issue is an unknown code of the component Object Attribute Handler. The manipulation with an unknown input leads to a dynamically-determined object attributes vulnerability. Using CWE to declare the problem leads to CWE-915. The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Impacted is integrity. CVE summarizes:

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.

The weakness was disclosed by Alfred Vié and Jonatan Männchen as GHSA-f4hc-ppw9-4hhw. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-55736 since 06/17/2026. The exploitation is known to be easy. The attack needs to be approached locally. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

Upgrading to version 3.29.3 eliminates this vulnerability. Applying the patch d9b3100219b3ea86d73202bf7368c03a7688efea is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Project Management Software

Vendor

• ash-project

Name

• ash

Version

• 3.29.0
• 3.29.1
• 3.29.2

License

• open-source

Website

• Product: https://github.com/ash-project/ash/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion