Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Description
Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. Prior to versions 4.13.39 and 5.1.11, if a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user. Versions 4.13.39 and 5.1.11 contain a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Silverstripe Framework versions prior to 4.13.39 and 5.1.11, the GridFieldAddExistingAutocompleter component discloses record titles to unauthorized users.
Vulnerability
Overview
CVE-2023-48714 is an information disclosure vulnerability in Silverstripe Framework, the MVC framework that underpins the Silverstripe CMS. The flaw resides in the GridFieldAddExistingAutocompleter component, which allows users to search for and add existing records to a GridField via an autocomplete interface. Prior to versions 4.13.39 and 5.1.11, if a user was not authorized to view a specific record, but that record was eligible to be added through the GridFieldAddExistingAutocompleter, the record's title could still be accessed by that user [1][2].
Exploitation
Exploitation of this vulnerability requires that a GridField is configured with the GridFieldAddExistingAutocompleter component and that the user has some level of access to the CMS (likely a contributor or editor role). No authentication bypass is needed; the attacker simply needs to be an authenticated user who can interact with the autocomplete field. The attacker can then enumerate record titles that they should not be able to see, by searching for or retrieving records that are technically within the autocomplete's data source but restricted by view permissions [4].
Impact
The impact is limited to the disclosure of record titles (e.g., page names, file names, or other object titles). This could leak sensitive information such as the existence or naming of internal documents, draft pages, or other content that the user should not be aware of. The vulnerability does not allow modification or deletion of records, nor does it grant elevated privileges. The confidentiality of record titles is the primary concern [4].
Mitigation
The issue has been patched in Silverstripe Framework versions 4.13.39 and 5.1.11 [1][4]. Users running earlier versions should upgrade to these patched releases or apply any provided patches. There are no known workarounds; the recommended action is to update the framework. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but should still be treated as a low-to-moderate priority for organizations using Silverstripe CMS with the GridFieldAddExistingAutocompleter in a sensitive context.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | < 4.13.39 | 4.13.39 |
silverstripe/frameworkPackagist | >= 5.0.0, < 5.1.11 | 5.1.11 |
Affected products
2- silverstripe/silverstripe-frameworkv5Range: < 4.13.39
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qm2j-qvq3-j29vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-48714ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2023-48714.yamlghsaWEB
- github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-qm2j-qvq3-j29vghsax_refsource_CONFIRMWEB
- www.silverstripe.org/download/security-releases/CVE-2023-48714ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.