Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Reachable over network with low complexity; Cerebrate add endpoints almost always require an authenticated session, so PR:L; integrity-only impact via forged identifiers, no confidentiality or availability loss.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled.
Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.
AnalysisAI
Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.
Technical ContextAI
Cerebrate is the CIRCL-developed identity and organisation management platform used alongside MISP for cross-community threat-intel sharing, written in PHP on the CakePHP framework. The defect is in CRUDComponent::add() (src/Controller/Component/CRUDComponent.php), a generic component reused by many controllers to handle entity creation. The handler called unset($params['id']) on the inbound request array before passing it through __massageInput(), but the normalized $input array - the value actually used by Cake's patchEntity / save - still carried any attacker-supplied id, producing a classic CWE-20 / mass-assignment failure where a server-controlled primary key becomes user-controlled. The fix changes the guard to unset($input['id']) so the sanitisation happens after normalisation.
RemediationAI
Vendor-released patch: upgrade Cerebrate to v1.37 or later, which moves the id-stripping into the normalized $input array (commit aff1ca7, https://github.com/cerebrate-project/cerebrate/commit/aff1ca707c8f926d00cda3deb39ff9bf59cdf18e). If an immediate upgrade is not possible, apply the two-line patch to src/Controller/Component/CRUDComponent.php::add() to unset $input['id'] after __massageInput() returns, or wrap affected add endpoints behind a reverse-proxy rule that strips the 'id' parameter from POST/PUT bodies - note that the body-rewrite workaround can break legitimate clients that resend payloads with server-issued ids. Restrict reachability of add endpoints to authenticated, role-checked users only and audit recently created records for unexpected primary-key values that indicate prior exploitation.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1
Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records o
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerab
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated
In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely explo
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36216
GHSA-g5c4-g774-r8rq