Skip to main content

Tuist EUVDEUVD-2026-30483

| CVE-2026-44678 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 security-advisories@github.com
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 22:05 vuln.today
CVE Published
May 14, 2026 - 21:16 nvd
HIGH 7.1

DescriptionGitHub Advisory

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle - which the attacker controls - and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.

AnalysisAI

Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.

Technical ContextAI

Tuist is a developer platform for Swift application development that provides project preview functionality via REST API. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the authorization plug validates the caller's permissions against the project specified in the URL path parameters (account_handle/project_handle) but the actual deletion operation uses the preview_id UUID parameter without validating ownership linkage. This represents a classic Insecure Direct Object Reference (IDOR) pattern where authorization decisions are made on one object (the URL-specified project) while the action executes against a different object (the UUID-specified preview). The REST API architecture separates the authorization layer from the data access layer without enforcing referential integrity between the path-based project context and the UUID-based resource identifier.

RemediationAI

Upgrade to Tuist version later than 1.180.8 once the vendor releases a patched version per the GitHub Security Advisory GHSA-fqp5-hg46-cp2x at https://github.com/tuist/tuist/security/advisories/GHSA-fqp5-hg46-cp2x - specific fix version not confirmed from available data; monitor the advisory for release announcements. Until patched version is deployed, implement compensating controls: modify the DELETE endpoint authorization logic to validate that the preview_id belongs to the project specified in account_handle/project_handle before executing the deletion (add database query: SELECT project_id FROM previews WHERE id = preview_id and verify it matches the URL path project); alternatively, implement API gateway rules to log all DELETE /api/projects/*/previews/* requests with caller identity for audit trail and anomaly detection, though this does not prevent exploitation; consider temporarily disabling the preview deletion API endpoint entirely if preview cleanup is not operationally critical, with trade-off of preview resource accumulation. Note that authentication credential management remains important as the vulnerability requires valid user credentials.

Share

EUVD-2026-30483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy