CVE-2026-53634
Description
Sharp CMS versions before 9.22.3 allowed authenticated users to bypass authorization for Quick Creation Commands, enabling unauthorized record creation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sharp CMS versions before 9.22.3 allowed authenticated users to bypass authorization for Quick Creation Commands, enabling unauthorized record creation.
Vulnerability
From version 9.0.0 to before 9.22.3, the create and store endpoints for Sharp's Quick Creation Command feature lacked authorization checks. This allowed any authenticated Sharp user to bypass restrictions and access or submit records for entities with a configured Quick Creation Command handler, even if they lacked the necessary create permissions [4].
Exploitation
An attacker who is already authenticated into the Sharp CMS can exploit this vulnerability. By navigating to the specific entity's Quick Creation Command endpoint, they can either view the creation form or submit new records without possessing the required 'create' permission for that entity, provided a Quick Creation Command handler is configured [4].
Impact
Successful exploitation allows an authenticated attacker to create new records within an entity without proper authorization. This can lead to unauthorized data entry and manipulation, potentially corrupting data or introducing malicious content, depending on the entity's function within the CMS [4].
Mitigation
This vulnerability has been patched in Sharp version 9.22.3, released on 2023-07-11 [3]. Users are advised to upgrade to version 9.22.3 or later. As a workaround, administrators can remove or disable Quick Creation Command handlers (quickCreationCommandHandler()) on entities where unauthorized access is a concern until an upgrade can be performed [4].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1aa18a85fd8feAdd authorization checks to quick creation commands (#729)
2 files changed · +37 −3
src/Http/Controllers/Api/Commands/ApiEntityListQuickCreationCommandController.php+4 −3 modified@@ -12,14 +12,14 @@ class ApiEntityListQuickCreationCommandController extends Controller use HandlesCommandForm; use HandlesCommandResult; - public function __construct( - private readonly SharpUploadManager $uploadManager, - ) { + public function __construct(private readonly SharpUploadManager $uploadManager) + { parent::__construct(); } public function create(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey) { + $this->authorizationManager->check('create', $entityKey); $entity = $this->entityManager->entityFor($entityKey); $list = $entity->getListOrFail(); @@ -51,6 +51,7 @@ public function create(string $globalFilter, EntityKey $entityKey, EntityKey $fo public function store(string $globalFilter, EntityKey $entityKey, EntityKey $formEntityKey) { + $this->authorizationManager->check('create', $entityKey); $list = $this->entityManager->entityFor($entityKey)->getListOrFail(); $list->buildListConfig();
tests/Http/Api/Commands/ApiEntityListQuickCreationCommandControllerTest.php+33 −0 modified@@ -6,6 +6,7 @@ use Code16\Sharp\Tests\Fixtures\Entities\PersonEntity; use Code16\Sharp\Tests\Fixtures\Sharp\PersonForm; use Code16\Sharp\Tests\Fixtures\Sharp\PersonList; +use Code16\Sharp\Utils\Entities\SharpEntityManager; use Code16\Sharp\Utils\Fields\FieldsContainer; use Illuminate\Support\Facades\Exceptions; @@ -326,3 +327,35 @@ public function update($id, array $data) 'link' => url('/sharp/root/s-list/person/s-show/person/1/s-show/colleague/4'), ]); }); + +it('checks for entity authorizations when using a quick creation command', function () { + fakeListFor('person', new class() extends PersonList + { + public function buildListConfig(): void + { + $this->configureQuickCreationForm(); + } + }); + + app(SharpEntityManager::class) + ->entityFor('person') + ->setProhibitedActions(['create']); + + $this + ->getJson( + route('code16.sharp.api.list.command.quick-creation-form.create', [ + 'entityKey' => 'person', + 'formEntityKey' => 'person', + ]), + ) + ->assertForbidden(); + + $this + ->postJson( + route('code16.sharp.api.list.command.quick-creation-form.create', [ + 'entityKey' => 'person', + 'formEntityKey' => 'person', + ]), + ) + ->assertForbidden(); +});
Vulnerability mechanics
Root cause
"The create and store endpoints for the Quick Creation Command feature lacked authorization checks."
Attack vector
An authenticated user with insufficient privileges can access the create and store endpoints of the Quick Creation Command feature. This allows them to bypass authorization checks and either view the creation form or submit new records for an entity, provided a handler is configured [ref_id=1]. The vulnerability exists in versions prior to 9.22.3.
Affected code
The vulnerability resides in the `create` and `store` methods of the `ApiEntityListQuickCreationCommandController` class. The patch modifies these methods by adding a call to `$this->authorizationManager->check('create', $entityKey);` before proceeding with the request [patch_id=5531325].
What the fix does
The patch introduces authorization checks to the `create` and `store` methods within the `ApiEntityListQuickCreationCommandController`. Specifically, `$this->authorizationManager->check('create', $entityKey);` is added to both methods [patch_id=5531325]. This ensures that only users with the necessary 'create' permission for the given entity can access these endpoints, thereby closing the bypass vulnerability.
Preconditions
- authThe attacker must be an authenticated user.
- configThe target entity must have a Quick Creation Command handler configured.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.