Skip to main content

Ash

2 CVEs product

Monthly

CVE-2026-55736 MEDIUM PATCH This Month

Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Privilege Escalation Ash
NVD GitHub
CVSS 4.0
5.9
EPSS
0.2%
CVE-2021-45688 Cargo CRITICAL PATCH Act Now

An issue was discovered in the ash crate before 0.33.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ash
NVD
CVSS 3.1
9.8
EPSS
1.3%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Private argument injection in the Ash Elixir framework (versions 3.0.0 through 3.29.2) allows end users to set action arguments explicitly marked public?: false, which are designed to be controlled exclusively by trusted server-side code. The filtering logic in both the regular changeset path and the atomic changeset path fails to enforce the public? flag when input parameters arrive as string (binary) keys - the default format for user-supplied JSON or form data. An attacker who submits a string-keyed parameter matching a private argument name can inject an arbitrary value, potentially enabling privilege escalation or integrity violations if that argument drives authorization decisions such as acting_user_id or record ownership. No public exploit code has been identified and this vulnerability is not listed in CISA KEV.

Privilege Escalation Ash
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in the ash crate before 0.33.1 for Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ash
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy