Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network API requires only a valid Sharp session (PR:L); confidentiality and availability are unaffected since bypass enables only unauthorized record creation with no data read or service disruption.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.
AnalysisAI
Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing authorizationManager->check('create', $entityKey) call in both the constructor and the create method of ApiEntityListQuickCreationCommandController, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.
Technical ContextAI
Sharp is a content management framework distributed as a Laravel PHP package by code16 (CPE: cpe:2.3:a:code16:sharp:*:*:*:*:*:*:*:*). The Quick Creation Command feature provides a fast-path modal for creating entity records, implemented in ApiEntityListQuickCreationCommandController.php. CWE-862 (Missing Authorization) is the root cause: the controller's constructor - invoked before store/submit operations - and the create method - serving the creation form - both lacked any call to $this->authorizationManager->check('create', $entityKey). The authorization enforcement existed at the entity list layer but was not propagated into the command controller layer, creating a gap exploitable by directly targeting the command API routes. The PR diff (https://github.com/code16/sharp/pull/729) confirms two distinct injection points were patched: one in the constructor covering record submission and one in the create method covering form retrieval.
RemediationAI
Upgrade Sharp to version 9.22.3 or later, which introduces $this->authorizationManager->check('create', $entityKey) into both the constructor and the create method of ApiEntityListQuickCreationCommandController, as confirmed by the patch at https://github.com/code16/sharp/pull/729 and the release at https://github.com/code16/sharp/releases/tag/v9.22.3. If an immediate upgrade is not feasible, a compensating control is to remove or disable configureQuickCreationForm() from all entity list classes where create permission restrictions are enforced - this eliminates the vulnerable code path entirely, though it removes the Quick Creation Command UI feature from those entities, impacting end-user workflows. There is no network-layer workaround (e.g., blocking specific routes) that is reliable without disabling the feature, since the endpoints share the same API path prefix as other Sharp commands.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36117
GHSA-vmwx-m75v-qvch