VYPR
← All advisories
High severityNVD Advisory· Published Jun 11, 2026

CVE-2026-53901

CVE-2026-53901

Description

A mass-assignment vulnerability in Cerebrate before v1.37 lets an attacker supply a server-controlled id during object creation, enabling spoofing or collision.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A mass-assignment vulnerability in Cerebrate before v1.37 lets an attacker supply a server-controlled id during object creation, enabling spoofing or collision.

Vulnerability

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add endpoint. The add() handler attempted to remove an attacker-supplied id from the $params array before normalizing the request through __massageInput(). However, because the normalized $input could still contain an id field (the removal occurred too early), a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled [1].

Exploitation

An attacker with network access to an affected Cerebrate instance and the ability to reach any add endpoint (no special authentication is mentioned as a prerequisite, but permissions depend on the model) can craft a request that includes an id parameter. The early removal of id from $params is ineffective because __massageInput() re-introduces or preserves it, allowing the attacker-chosen identifier to be processed [1].

Impact

Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions [1].

Mitigation

The issue was fixed in v1.37 by moving the unset() of id to operate on the normalized $input array instead of the raw $params, before entity patching [1]. Users should upgrade to Cerebrate version 1.37 or later. No workarounds are documented in the available references.

References
  1. fix: [security] mass assignment via incomplete unsetting of id · cerebrate-project/cerebrate@aff1ca7

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
aff1ca707c8f

fix: [security] mass assignment via incomplete unsetting of id

https://github.com/cerebrate-project/cerebrateiglocskaJun 10, 2026via nvd-ref
commit
1 file changed · +3 3
  • src/Controller/Component/CRUDComponent.php+3 3 modified
    @@ -447,10 +447,10 @@ public function add(array $params = []): void
                 'associated' => [],
                 'accessibleFields' => $data->getAccessibleFieldForNew(),
             ];
-            if (!empty($params['id'])) {
-                unset($params['id']);
-            }
             $input = $this->__massageInput($params);
+            if (!empty($input['id'])) {
+                unset($input['id']);
+            }
             if (!empty($params['fields'])) {
                 $patchEntityParams['fields'] = $params['fields'];
             }

Vulnerability mechanics

Root cause

"Incomplete sanitization: id is removed from $params before normalization but __massageInput() can reintroduce it, allowing attacker-controlled identifiers."

Attack vector

An attacker who can reach an affected CRUD add endpoint sends a request that includes an `id` parameter. The original code unsets `id` from `$params` before normalization, but `__massageInput()` can reintroduce an `id` field into the normalized `$input` array [patch_id=5589052]. Because the normalized `$input` is not sanitized for `id`, the attacker-supplied identifier is passed to the entity patching logic, allowing creation of objects with a server-controlled identifier.

Affected code

The vulnerability is in `src/Controller/Component/CRUDComponent.php` in the `add()` method [patch_id=5589052]. The original code removed an attacker-supplied `id` from `$params` before calling `__massageInput()`, but the normalized `$input` returned by that method could still contain an `id` field, which was then used when patching the entity.

What the fix does

The patch moves the `id` removal from before `__massageInput()` to after it, so the normalized `$input` is sanitized before entity patching [patch_id=5589052]. This ensures that even if `__massageInput()` propagates an `id` field from the original request parameters, it is stripped before the entity is created, restoring server control over object identifiers.

Preconditions

  • networkAttacker must be able to reach an affected CRUD add endpoint
  • inputAttacker must supply an id parameter in the request

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.