Skip to main content

Chyrp Lite EUVDEUVD-2026-19420

| CVE-2026-35173 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-06 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.01
EUVD ID Assigned
Apr 06, 2026 - 18:22 euvd
EUVD-2026-19420
Analysis Generated
Apr 06, 2026 - 18:22 vuln.today
CVE Published
Apr 06, 2026 - 18:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.

AnalysisAI

Chyrp Lite prior to version 2026.01 allows authenticated users with post editing permissions to modify posts owned by other users through an insecure direct object reference (IDOR) and mass assignment vulnerability in the Post model. Attackers can inject internal class properties such as post IDs into the post_attributes payload to alter which post is being edited, effectively enabling unauthorized post takeover. The vulnerability requires valid authentication and existing post editing permissions but no user interaction, posing a medium-to-high integrity risk to multi-user blogging instances.

Technical ContextAI

Chyrp Lite's Post model contains a mass assignment flaw where user-controlled input from the post_attributes payload is insufficiently validated before instantiating or modifying Post objects. The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), where internal object identifiers (such as the post ID) are accessible to authenticated users and can be manipulated to reference posts outside the attacker's authorized scope. In typical Ruby on Rails or similar MVC frameworks, mass assignment occurs when framework methods blindly assign all incoming request parameters to model attributes without explicitly whitelisting permitted fields. An authenticated attacker with Edit Post, Edit Draft, Edit Own Post, or Edit Own Draft permissions can bypass authorization checks by directly specifying the ID or other identifying attributes of a target post, causing subsequent operations (updates, deletes, or state changes) to be performed on the victim's post rather than the attacker's own.

RemediationAI

Upgrade Chyrp Lite to version 2026.01 or later, which includes fixes for the mass assignment vulnerability and authorization checks in the Post model. Administrators should immediately apply this patch to all instances, particularly those supporting multi-user blogging with delegated post editing permissions. As an interim mitigation prior to upgrading, restrict the assignment of post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to trusted users only, though this does not eliminate the vulnerability for those users. Ensure all user sessions are audited for unauthorized post modifications, and review the security advisory at https://github.com/xenocrat/chyrp-lite/security/advisories/GHSA-8c3h-rh2j-fxr9 for implementation details.

Share

EUVD-2026-19420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy