Skip to main content

authorization-for-expressjs CVE-2026-49473

HIGH
Interpretation Conflict (CWE-436)
2026-06-30 https://github.com/cedar-policy/authorization-for-expressjs GHSA-g4w6-vmgf-xqvx
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable bypass exploitable by any low-privilege authenticated user (PR:L) with no special complexity once overlapping routes exist (AC:L); confidentiality and integrity of restricted endpoints are exposed, but no genuine availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 18:50 vuln.today

DescriptionGitHub Advisory

Summary

@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.

Impact

The middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.

When an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.

Impacted versions

<= 0.2.0

Patches

This issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Validate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.

References

If you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

AnalysisAI

{id} action yet executed by the restrictive /users list handler. No public exploit identified at time of analysis, but the technique is fully described in the AWS/GitHub advisory and trivially reproducible.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Identify overlapping path-prefix routes
Exploit
Append query string to restricted path (GET /users/?x=1)
Execution
Cedar matches permissive {id} action
Persist
Express dispatches to restricted handler
Impact
Access admin-only data/function

Vulnerability AssessmentAI

Exploitation Exploitation requires the application to (1) use @cedar-policy/authorization-for-expressjs <= 0.2.0 as its authorization layer, and (2) define separate Cedar actions on overlapping path prefixes that carry different permission levels (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) reflects a network-reachable, low-complexity bypass requiring only a low-privilege authenticated session - consistent with the description, where 'any authenticated user' can elevate to an admin-only action. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user of an Express app that uses Cedar to gate GET /users (admin-only list) versus GET /users/{id} (self-service single record) sends GET /users/?x=1. The middleware authorizes it as the permissive {id} action while Express dispatches it to the admin-only list handler, returning the full user listing to a non-admin. …
Remediation Vendor-released patch: version 0.3.0 - upgrade @cedar-policy/authorization-for-expressjs to 0.3.0 or later (release: https://github.com/cedar-policy/authorization-for-expressjs/releases/tag/v0.3.0; advisory: https://github.com/cedar-policy/authorization-for-expressjs/security/advisories/GHSA-g4w6-vmgf-xqvx), and patch any forked or derivative code to incorporate the corrected path-matching logic. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems and components using affected AWS/GitHub services; enable detailed monitoring and alerting on exploitation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy