GCVE-1-2026-0006
Vulnerability from gna-1 – Published: 2026-01-13 15:37 – Updated: 2026-01-13 15:37
VLAI?
Title
Improper Access Control in Cerebrate AuthKey and EncryptionKey Entities Allows Modification of Sensitive Fields
Summary
Multiple mass assignment vulnerabilities exist in the AuthKey and EncryptionKey entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive $_accessible configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
🕵️♂️ Jeroen Pinoy 🐞
Andras Iklody
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cerebrate",
"vendor": "cerebrate",
"versions": [
{
"lessThan": "1.31",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple mass assignment vulnerabilities exist in the \u003ccode\u003eAuthKey\u003c/code\u003e and \u003ccode\u003eEncryptionKey\u003c/code\u003e entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive \u003ccode\u003e$_accessible\u003c/code\u003e configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material.\u003cbr\u003e"
}
],
"value": "Multiple mass assignment vulnerabilities exist in the AuthKey and EncryptionKey entities of Cerebrate prior to the fixed version, where insufficient protection of sensitive fields allowed attackers to modify security-critical attributes. Due to missing or overly permissive $_accessible configurations, attackers could set protected fields such as authentication keys, UUIDs, and primary identifiers, potentially leading to credential manipulation, impersonation, and compromise of cryptographic material."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en"
}
]
},
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/cerebrate-project/cerebrate/commit/e19fdecdda099554082b330fb47d68842aa62a55"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in Cerebrate AuthKey and EncryptionKey Entities Allows Modification of Sensitive Fields",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-01-13T15:37:17.337254Z",
"dateUpdated": "2026-01-13T15:37:17.337254Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0006",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-13T15:37:17.337254Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…