Skip to main content

Yahoo Elide CVE-2026-57954

| EUVDEUVD-2026-40139 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 disclosure@vulncheck.com GHSA-c4g4-fg7q-8p3c
5.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable endpoint requires authenticated access (PR:L); only partial confidentiality disclosed via ordering side-channel (C:L); no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:40 vuln.today

DescriptionCVE.org

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

AnalysisAI

Sort-expression permission bypass in Yahoo Elide through 7.1.17 allows authenticated network attackers to leak relative values of @ReadPermission-protected fields by sorting API collections on forbidden field names. The flaw exists in SortingImpl.getValidSortingRules, which accepts client-controlled sort keys without verifying the caller's read authorization, exposing a classic side-channel across both JSON:API and GraphQL read endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Elide API
Delivery
Craft sort request referencing @ReadPermission-restricted field
Exploit
Submit request to JSON:API or GraphQL read endpoint
Install
Elide skips permission check in SortingImpl.getValidSortingRules
C2
Observe row ordering in response
Execute
Repeat with varied filters to binary-search hidden field values
Impact
Infer protected data across all collection rows

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a valid authenticated session with at least read access to the target Elide collection (PR:L - unauthenticated exploitation is not possible per the CVSS vector); (2) the target application must have at least one data model field annotated with @ReadPermission that excludes the attacker's role from reading that field; (3) the collection must contain multiple records and permit client-controlled sorting; (4) the attacker must be able to issue multiple HTTP requests to the JSON:API or GraphQL read endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates a network-reachable, low-complexity attack that requires authenticated access (PR:L) and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged user sends repeated JSON:API GET requests to a collection endpoint (e.g., /api/employees?sort=salary) referencing a @ReadPermission-protected field such as salary. Elide processes the sort without permission validation, returning records ordered by the hidden field. …
Remediation The primary remediation is to upgrade Elide beyond version 7.1.17 once a patched release is published; no exact fix version was confirmed in the available input data, and no vendor-released patch version has been independently verified. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy