CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53769

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-09
Summary Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as upload_{FIELD_ID}?. An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including binary content, filename, and content-type metadata, on a resolved record even when both update? and upload_<field>? policies deny the operation. This primarily affects multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies. Details Avo exposes a direct attachment upload endpoint: POST /<avo-root>/avo_api/resources/:resource_name/:id/attachments/ The vulnerable code path is Avo::AttachmentsController#create: - app/controllers/avo/attachments_controller.rb:9-24 Current behavior: def create blob = ActiveStorage::Blob.create_and_upload! io: params[:file].to_io, filename: params[:filename] association_name = BaseResource.valid_attachment_name(@record, params[:attachment_key]) if association_name @record.send(association_name).attach blob elsif params[:key].blank? raise ActionController::BadRequest.new(...) end render json: { url: main_app.url_for(blob), href: main_app.url_for(blob) } end This endpoint creates an ActiveStorage::Blob before validating the requested attachment association and before any upload authorization could be enforced. If attachment_key resolves to an association, the blob is attached to the target record. If the request uses the key-based/Trix path, the endpoint can still persist the blob and return url/href even when no attachment association is resolved on the target record. The controller never calls: - @resource.authorization.authorize_action("upload_<field>?", record: @record, ...) - @resource.authorization.authorize_action("update?", record: @record, ...) This is inconsistent with the rest of Avo'

⚡ Watch CVE-2026-53769

Get an email if CVE-2026-53769 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53769

CVE.org record

Embed the live status

CVE-2026-53769 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53769 status](https://www.csirts.com/badge/CVE-2026-53769)](https://www.csirts.com/cve/CVE-2026-53769)