django-unicorn affected by component state manipulation via unvalidated attribute access

Vulnerability

Overview

CVE-2026-31815 is an access control bypass in django-unicorn, a reactive component framework for Django. Prior to version 0.67.0, the framework fails to enforce visibility boundaries defined by the _is_public attribute during property updates and method calls. Specifically, the functions set_property_value() and _call_method_name() in the action parsers use getattr and setattr directly on component instances without verifying whether the target attribute or method is explicitly marked as public [1][3]. This allows an attacker to bypass the intended protection and modify internal attributes or invoke protected methods.

Exploitation

An attacker can exploit this vulnerability by sending a crafted JSON payload to the component's message endpoint. For example, a syncInput action can overwrite the template_name attribute with a value like "admin/base.html". The server-side component then updates its internal state, and subsequent re-rendering displays the content of the targeted template [3]. No special privileges are required beyond network access to the application; any user who can interact with a Unicorn component can attempt this attack.

Impact

The impact is limited to unauthorized manipulation of component state and rendering of existing templates within the application's configured template directories. An attacker could force a component to render sensitive templates (e.g., admin layouts) from other installed applications or reset the component state by invoking the internal reset() method. Remote Code Execution (RCE) is not possible via this vector, and the severity is considered low [3].

Mitigation

The vulnerability is fixed in django-unicorn version 0.67.0. Users are strongly advised to upgrade to this version or later. No workarounds are documented; the fix enforces proper access control checks on all property updates and method calls [1][3].