CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-pjhx-3c3w-9v23: API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

mediumCVSS 5.9CVE-2026-49858
Impact #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This is the same vulnerability class as GHSA-428q-q3vv-3fq3 / CVE-2025-31485, which fixed only the GraphQL ItemNormalizer. The JSON:API and HAL paths were not addressed at the time. Exploitation conditions Exploitation requires all of the following to coincide: - The application exposes a resource via the JSON:API and/or HAL formats. - At least one property of that resource uses #[ApiProperty(security: ...)] with a predicate whose result depends on the current user (or on per-request state). - A request from a user for whom the predicate evaluates to true populates componentsCache before a request from a user for whom the predicate evaluates to false, within the lifetime of the same PHP process. - The deployment uses a long-running PHP runtime that keeps the normalizer instance alive across requests (FrankenPHP worker mode, RoadRunner, Swoole, ReactPHP, etc.). With classic php-fpm workers the cache only survives the duration of a single request, which makes the issue much harder to observe in practice. Patches - 4.1.29 - 4.2.25 - 4.3.8 All three branches receive patched releases of api-platform/core, api-platform/json-api, and api-platform/hal. Workarounds Override the JSON:API and HAL ItemNormalizer services to gate $context['cache_key'] with a resource-class security check, or avoid #[ApiProperty(secur

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.9
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-pjhx-3c3w-9v23

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49858coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories