Skip to main content

Cerebrate CVE-2026-53911

| EUVDEUVD-2026-36218 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-11 CIRCL GHSA-ccc2-wrmm-mgwp
6.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-accessible edit endpoint, low auth required; scope changes because the attacker modifies records outside their authorization boundary, with high integrity impact on Role/User entities.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 10:17 vuln.today
Analysis Generated
Jun 11, 2026 - 10:17 vuln.today

DescriptionCVE.org

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity.

The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.

AnalysisAI

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.

Technical ContextAI

Cerebrate is a CIRCL-developed threat-intelligence sharing and management platform built on the CakePHP framework. CakePHP's ORM provides patchEntity() and newEntity() methods that marshal incoming request arrays onto entity objects before persisting them. By default, entity fields are considered mass-assignable unless explicitly marked inaccessible via the $_accessible property. The vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) arises because affected entities inherited the permissive base defaults without explicitly setting 'id' => false. When an attacker includes an id field in an HTTP edit request, patchEntity() sets that field on the entity object; since CakePHP's save() uses the entity's id to determine the WHERE clause, the UPDATE is redirected to a foreign record. The affected CPE is cpe:2.3:a:cerebrate:cerebrate:*:*:*:*:*:*:*:* for all versions prior to 1.37. The fix applied in CRUDComponent.php strips id from $input after beforeMarshal callbacks run, and AppModel.php now globally declares '$_accessible = ["*" => true, "id" => false]' to block PK mass-assignment across all inheriting entities.

RemediationAI

Upgrade Cerebrate to version 1.37, which strips the id field from request input in both add() and edit() flows within CRUDComponent.php and globally marks id as inaccessible in AppModel.php. The upstream fix commit is https://github.com/cerebrate-project/cerebrate/commit/b3c8f951b0634f05691339512ef06cc261afecaf; a released tagged version is the target state - verify that 1.37 is pulled from the official Cerebrate release channel rather than relying solely on this commit reference. If immediate upgrade is not possible, a compensating control is to implement a WAF or reverse-proxy rule that strips any id parameter from the request body of PATCH/POST requests to edit endpoints - note this may interfere with legitimate workflows and does not protect against server-side code paths that construct input arrays from multiple sources. Restricting the UserSettings edit endpoint to specific authenticated roles via application-level ACL reduces the most accessible exploitation surface while the patch is deployed.

CVE-2022-25321 MEDIUM POC
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-28883 CRITICAL
9.8 Mar 27

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this

CVE-2022-25319 MEDIUM POC
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2023-26468 CRITICAL
9.1 Feb 24

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1

CVE-2026-53901 HIGH
8.7 Jun 11

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-con

CVE-2022-25317 MEDIUM
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-41908 MEDIUM
5.3 Sep 05

Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerab

CVE-2022-25320 MEDIUM
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2026-53912 MEDIUM
5.1 Jun 11

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated

CVE-2023-41363 MEDIUM
4.3 Aug 29

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other

CVE-2022-25318 MEDIUM
4.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely explo

Share

CVE-2026-53911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy