Skip to main content

Filament PHP CVE-2026-48067

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-11 https://github.com/filamentphp/filament GHSA-7q3w-xqjw-g3cr
6.5
CVSS 3.1 · Vendor: https://github.com/filamentphp/filament
Share

Severity by source

Vendor (https://github.com/filamentphp/filament) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network vector and low privilege confirmed by web-based admin panel requiring authenticated session; integrity-only impact as unauthorized record associations are persisted with no disclosure or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/filamentphp/filament).

CVSS VectorVendor: https://github.com/filamentphp/filament

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 20:51 vuln.today
Analysis Generated
Jun 11, 2026 - 20:51 vuln.today

DescriptionCVE.org

The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.

AnalysisAI

Inconsistent server-side scope enforcement in Filament's AttachAction and AssociateAction Select fields allows an authenticated low-privilege user to associate out-of-scope records by tampering with Livewire component state. Developers can scope which records appear in these Select dropdowns via recordSelectOptionsQuery(), but the built-in validation rule did not enforce the same scope - meaning the UI restriction was purely cosmetic and bypassable. Patches are available across all three affected major version lines; no public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

Filament is a PHP admin panel framework built on Laravel, using Livewire for reactive server-driven UI components. The recordSelectOptionsQuery() method lets developers restrict which database records are presented as options in Select fields for AttachAction (many-to-many) and AssociateAction (has-many) operations. Because Livewire components maintain state on the server but accept client-submitted state changes, the validation pathway diverged from the display pathway - the server accepted record IDs not visible in the scoped options list. CWE-639 (Authorization Bypass Through User-Controlled Key) precisely describes this root cause: the server trusted a user-controlled record key without re-validating it against the developer-defined scope constraint. Affected composer packages are filament/tables (v3.x) and filament/actions (v4.x and v5.x).

RemediationAI

Vendor-released patches are available for all three affected version lines. Upgrade filament/tables to v3.3.51 or later; upgrade filament/actions to v4.11.4 or later (for v4.x installs); or upgrade filament/actions to v5.6.4 or later (for v5.x installs). Release tags and changelogs are available at https://github.com/filamentphp/filament/releases/tag/v3.3.51, https://github.com/filamentphp/filament/releases/tag/v4.11.4, and https://github.com/filamentphp/filament/releases/tag/v5.6.4. If immediate patching is not possible, a compensating control is to add explicit server-side validation in action before() or mutateFormDataBeforeSave() hooks that re-checks the submitted record ID against the same scope query used in recordSelectOptionsQuery() - note this requires duplicating scope logic manually and will need maintenance as the scope evolves. Disabling AttachAction and AssociateAction entirely on sensitive resources is a more drastic but complete workaround until the patch is applied.

Share

CVE-2026-48067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy