Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible edit endpoint, low auth required; scope changes because the attacker modifies records outside their authorization boundary, with high integrity impact on Role/User entities.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity.
The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody.
AnalysisAI
Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.
Technical ContextAI
Cerebrate is a CIRCL-developed threat-intelligence sharing and management platform built on the CakePHP framework. CakePHP's ORM provides patchEntity() and newEntity() methods that marshal incoming request arrays onto entity objects before persisting them. By default, entity fields are considered mass-assignable unless explicitly marked inaccessible via the $_accessible property. The vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) arises because affected entities inherited the permissive base defaults without explicitly setting 'id' => false. When an attacker includes an id field in an HTTP edit request, patchEntity() sets that field on the entity object; since CakePHP's save() uses the entity's id to determine the WHERE clause, the UPDATE is redirected to a foreign record. The affected CPE is cpe:2.3:a:cerebrate:cerebrate:*:*:*:*:*:*:*:* for all versions prior to 1.37. The fix applied in CRUDComponent.php strips id from $input after beforeMarshal callbacks run, and AppModel.php now globally declares '$_accessible = ["*" => true, "id" => false]' to block PK mass-assignment across all inheriting entities.
RemediationAI
Upgrade Cerebrate to version 1.37, which strips the id field from request input in both add() and edit() flows within CRUDComponent.php and globally marks id as inaccessible in AppModel.php. The upstream fix commit is https://github.com/cerebrate-project/cerebrate/commit/b3c8f951b0634f05691339512ef06cc261afecaf; a released tagged version is the target state - verify that 1.37 is pulled from the official Cerebrate release channel rather than relying solely on this commit reference. If immediate upgrade is not possible, a compensating control is to implement a WAF or reverse-proxy rule that strips any id parameter from the request body of PATCH/POST requests to edit endpoints - note this may interfere with legitimate workflows and does not protect against server-side code paths that construct input arrays from multiple sources. Restricting the UserSettings edit endpoint to specific authenticated roles via application-level ACL reduces the most accessible exploitation surface while the patch is deployed.
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1
Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-con
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo
Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerab
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo
Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated
In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other
An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely explo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36218
GHSA-ccc2-wrmm-mgwp