Incorrect Authorization in wasmCloud
Description
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions 0.52.2 and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <0.52.2
- wasmCloud/wasmcloud-otpv5Range: < 0.52.2
Patches
Vulnerability mechanics
Root cause
"Actor capability claims are not verified upon receiving invocations, allowing unauthorized access."
Attack vector
An actor can bypass capability authorization by sending an invocation to another actor. Normally, actors must declare their capabilities for inbound invocations. However, due to this vulnerability, the actor's capability claims are not checked when an invocation is received. This allows an actor to receive unauthorized invocations from linked capability providers, compromising the security model [ref_id=1].
Affected code
The vulnerability exists in the `HostCore.Actors.ActorModule` module, specifically within the `perform_invocation` function. The patch modifies this function to first call `validate_invocation` before proceeding with the actual invocation logic [ref_id=1].
What the fix does
The patch introduces a new function `validate_invocation` which is called before `perform_invocation` [ref_id=1]. This new function checks if the invoking actor has the necessary capability claims for the requested contract ID. If the claims are not valid, the invocation is rejected with an error, thus preventing unauthorized access.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5mitrex_refsource_MISC
- github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.