api-platform core/hal/json-api up to 4.1.28/4.2.24/4.3.7 cache_key cache containing sensitive information
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.7 | $0-$5k | 1.33 |
Summary
A vulnerability was found in api-platform core, hal and json-api up to 4.1.28/4.2.24/4.3.7. It has been classified as problematic. This impacts an unknown function. Performing a manipulation of the argument cache_key results in use of cache containing sensitive information. This vulnerability is identified as CVE-2026-49858. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.
Details
A vulnerability, which was classified as problematic, was found in api-platform core, hal and json-api up to 4.1.28/4.2.24/4.3.7. This affects an unknown code block. The manipulation of the argument cache_key with an unknown input leads to a use of cache containing sensitive information vulnerability. CWE is classifying the issue as CWE-524. The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. This is going to have an impact on confidentiality. The summary by CVE is:
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-49858 since 06/02/2026. The exploitability is told to be difficult. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1592 for this issue.
Upgrading to version 4.1.29, 4.2.25 or 4.3.8 eliminates this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
- 4.1.0
- 4.1.1
- 4.1.2
- 4.1.3
- 4.1.4
- 4.1.5
- 4.1.6
- 4.1.7
- 4.1.8
- 4.1.9
- 4.1.10
- 4.1.11
- 4.1.12
- 4.1.13
- 4.1.14
- 4.1.15
- 4.1.16
- 4.1.17
- 4.1.18
- 4.1.19
- 4.1.20
- 4.1.21
- 4.1.22
- 4.1.23
- 4.1.24
- 4.1.25
- 4.1.26
- 4.1.27
- 4.1.28
- 4.2.0
- 4.2.1
- 4.2.2
- 4.2.3
- 4.2.4
- 4.2.5
- 4.2.6
- 4.2.7
- 4.2.8
- 4.2.9
- 4.2.10
- 4.2.11
- 4.2.12
- 4.2.13
- 4.2.14
- 4.2.15
- 4.2.16
- 4.2.17
- 4.2.18
- 4.2.19
- 4.2.20
- 4.2.21
- 4.2.22
- 4.2.23
- 4.2.24
- 4.3.0
- 4.3.1
- 4.3.2
- 4.3.3
- 4.3.4
- 4.3.5
- 4.3.6
- 4.3.7
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.8VulDB Meta Temp Score: 4.7
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 5.9
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Use of cache containing sensitive informationCWE: CWE-524
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: core/hal/json-api 4.1.29/4.2.25/4.3.8
Timeline
06/02/2026 CVE reserved07/01/2026 VulDB entry created
07/02/2026 Advisory disclosed
07/02/2026 VulDB entry last update
Sources
Product: github.comAdvisory: GHSA-pjhx-3c3w-9v23
Status: Confirmed
CVE: CVE-2026-49858 (🔒)
GCVE (CVE): GCVE-0-2026-49858
GCVE (VulDB): GCVE-100-375681
Entry
Created: 07/02/2026 00:43Changes: 07/02/2026 00:43 (65)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.