CVE-2026-53769
Summary
Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as upload_{FIELD_ID}?.
An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including binary content, filename, and content-type metadata, on a resolved record even when both update? and upload_<field>? policies deny the operation.
This primarily affects multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies.
Details
Avo exposes a direct attachment upload endpoint:
POST /<avo-root>/avo_api/resources/:resource_name/:id/attachments/
The vulnerable code path is Avo::AttachmentsController#create:
- app/controllers/avo/attachments_controller.rb:9-24
Current behavior:
def create
blob = ActiveStorage::Blob.create_and_upload! io: params[:file].to_io, filename: params[:filename]
association_name = BaseResource.valid_attachment_name(@record, params[:attachment_key])
if association_name
@record.send(association_name).attach blob
elsif params[:key].blank?
raise ActionController::BadRequest.new(...)
end
render json: {
url: main_app.url_for(blob),
href: main_app.url_for(blob)
}
end
This endpoint creates an ActiveStorage::Blob before validating the requested attachment association and before any upload authorization could be enforced. If attachment_key resolves to an association, the blob is attached to the target record. If the request uses the key-based/Trix path, the endpoint can still persist the blob and return url/href even when no attachment association is resolved on the target record.
The controller never calls:
- @resource.authorization.authorize_action("upload_<field>?", record: @record, ...)
- @resource.authorization.authorize_action("update?", record: @record, ...)
This is inconsistent with the rest of Avo'
⚡ Watch CVE-2026-53769
Get an email if CVE-2026-53769 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-53769)