Skip to main content

Sharp CMS CVE-2026-53634

| EUVDEUVD-2026-36117 MEDIUM
Missing Authorization (CWE-862)
2026-06-10 GitHub_M GHSA-vmwx-m75v-qvch
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network API requires only a valid Sharp session (PR:L); confidentiality and availability are unaffected since bypass enables only unauthorized record creation with no data read or service disruption.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 21:21 vuln.today
Analysis Generated
Jun 10, 2026 - 21:21 vuln.today

DescriptionCVE.org

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.

AnalysisAI

Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing authorizationManager->check('create', $entityKey) call in both the constructor and the create method of ApiEntityListQuickCreationCommandController, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.

Technical ContextAI

Sharp is a content management framework distributed as a Laravel PHP package by code16 (CPE: cpe:2.3:a:code16:sharp:*:*:*:*:*:*:*:*). The Quick Creation Command feature provides a fast-path modal for creating entity records, implemented in ApiEntityListQuickCreationCommandController.php. CWE-862 (Missing Authorization) is the root cause: the controller's constructor - invoked before store/submit operations - and the create method - serving the creation form - both lacked any call to $this->authorizationManager->check('create', $entityKey). The authorization enforcement existed at the entity list layer but was not propagated into the command controller layer, creating a gap exploitable by directly targeting the command API routes. The PR diff (https://github.com/code16/sharp/pull/729) confirms two distinct injection points were patched: one in the constructor covering record submission and one in the create method covering form retrieval.

RemediationAI

Upgrade Sharp to version 9.22.3 or later, which introduces $this->authorizationManager->check('create', $entityKey) into both the constructor and the create method of ApiEntityListQuickCreationCommandController, as confirmed by the patch at https://github.com/code16/sharp/pull/729 and the release at https://github.com/code16/sharp/releases/tag/v9.22.3. If an immediate upgrade is not feasible, a compensating control is to remove or disable configureQuickCreationForm() from all entity list classes where create permission restrictions are enforced - this eliminates the vulnerable code path entirely, though it removes the Quick Creation Command UI feature from those entities, impacting end-user workflows. There is no network-layer workaround (e.g., blocking specific routes) that is reliable without disabling the feature, since the endpoints share the same API path prefix as other Sharp commands.

Share

CVE-2026-53634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy