Skip to main content

Cerebrate EUVDEUVD-2026-36216

| CVE-2026-53901 HIGH
Improper Input Validation (CWE-20)
2026-06-11 CIRCL GHSA-g5c4-g774-r8rq
8.7
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vuln.today AI
6.5 MEDIUM

Reachable over network with low complexity; Cerebrate add endpoints almost always require an authenticated session, so PR:L; integrity-only impact via forged identifiers, no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 10:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 08:45 vuln.today
Analysis Generated
Jun 11, 2026 - 08:45 vuln.today

DescriptionCVE.org

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled.

Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.

AnalysisAI

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.

Technical ContextAI

Cerebrate is the CIRCL-developed identity and organisation management platform used alongside MISP for cross-community threat-intel sharing, written in PHP on the CakePHP framework. The defect is in CRUDComponent::add() (src/Controller/Component/CRUDComponent.php), a generic component reused by many controllers to handle entity creation. The handler called unset($params['id']) on the inbound request array before passing it through __massageInput(), but the normalized $input array - the value actually used by Cake's patchEntity / save - still carried any attacker-supplied id, producing a classic CWE-20 / mass-assignment failure where a server-controlled primary key becomes user-controlled. The fix changes the guard to unset($input['id']) so the sanitisation happens after normalisation.

RemediationAI

Vendor-released patch: upgrade Cerebrate to v1.37 or later, which moves the id-stripping into the normalized $input array (commit aff1ca7, https://github.com/cerebrate-project/cerebrate/commit/aff1ca707c8f926d00cda3deb39ff9bf59cdf18e). If an immediate upgrade is not possible, apply the two-line patch to src/Controller/Component/CRUDComponent.php::add() to unset $input['id'] after __massageInput() returns, or wrap affected add endpoints behind a reverse-proxy rule that strips the 'id' parameter from POST/PUT bodies - note that the body-rewrite workaround can break legitimate clients that resend payloads with server-issued ids. Restrict reachability of add endpoints to authenticated, role-checked users only and audit recently created records for unexpected primary-key values that indicate prior exploitation.

CVE-2022-25321 MEDIUM POC
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-28883 CRITICAL
9.8 Mar 27

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this

CVE-2022-25319 MEDIUM POC
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2023-26468 CRITICAL
9.1 Feb 24

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1

CVE-2026-53911 MEDIUM
6.3 Jun 11

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records o

CVE-2022-25317 MEDIUM
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-41908 MEDIUM
5.3 Sep 05

Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerab

CVE-2022-25320 MEDIUM
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2026-53912 MEDIUM
5.1 Jun 11

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated

CVE-2023-41363 MEDIUM
4.3 Aug 29

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other

CVE-2022-25318 MEDIUM
4.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely explo

Share

EUVD-2026-36216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy