Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires authenticated access (PR:L); only partial confidentiality disclosed via ordering side-channel (C:L); no integrity or availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
AnalysisAI
Sort-expression permission bypass in Yahoo Elide through 7.1.17 allows authenticated network attackers to leak relative values of @ReadPermission-protected fields by sorting API collections on forbidden field names. The flaw exists in SortingImpl.getValidSortingRules, which accepts client-controlled sort keys without verifying the caller's read authorization, exposing a classic side-channel across both JSON:API and GraphQL read endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid authenticated session with at least read access to the target Elide collection (PR:L - unauthenticated exploitation is not possible per the CVSS vector); (2) the target application must have at least one data model field annotated with @ReadPermission that excludes the attacker's role from reading that field; (3) the collection must contain multiple records and permit client-controlled sorting; (4) the attacker must be able to issue multiple HTTP requests to the JSON:API or GraphQL read endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates a network-reachable, low-complexity attack that requires authenticated access (PR:L) and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged user sends repeated JSON:API GET requests to a collection endpoint (e.g., /api/employees?sort=salary) referencing a @ReadPermission-protected field such as salary. Elide processes the sort without permission validation, returning records ordered by the hidden field. … |
| Remediation | The primary remediation is to upgrade Elide beyond version 7.1.17 once a patched release is published; no exact fix version was confirmed in the available input data, and no vendor-released patch version has been independently verified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40139
GHSA-c4g4-fg7q-8p3c