CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-pqpw-cvm4-8mv9: Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy

mediumCVSS 6.5CVE-2026-53769
Summary Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as upload_{FIELD_ID}?. An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including binary content, filename, and content-type metadata, on a resolved record even when both update? and upload_<field>? policies deny the operation. This primarily affects multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies. Details Avo exposes a direct attachment upload endpoint: POST /<avo-root>/avo_api/resources/:resource_name/:id/attachments/ The vulnerable code path is Avo::AttachmentsController#create: - app/controllers/avo/attachments_controller.rb:9-24 Current behavior: def create blob = ActiveStorage::Blob.create_and_upload! io: params[:file].to_io, filename: params[:filename] association_name = BaseResource.valid_attachment_name(@record, params[:attachment_key]) if association_name @record.send(association_name).attach blob elsif params[:key].blank? raise ActionController::BadRequest.new(...) end render json: { url: main_app.url_for(blob), href: main_app.url_for(blob) } end This endpoint creates an ActiveStorage::Blob before validating the requested attachment association and before any upload authorization could be enforced. If attachment_key resolves to an association, the blob is attached to the target record. If the request uses the key-based/Trix path, the endpoint can still persist the blob and return url/href even when no attachment association is resolved on the target record. The controller never calls: - @resource.authorization.authorize_action("upload_<field>?", record: @record, ...) - @resource.authorization.authorize_action("update?", record: @record, ...) This is inconsistent with the rest of Avo'

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-pqpw-cvm4-8mv9

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53769coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories