GHSA-F5C8-M5VW-RMGQ

Vulnerability from github – Published: 2026-04-24 16:00 – Updated: 2026-04-24 16:00
VLAI?
Summary
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Details

Impact

In versions < 1.3.0, the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area).

The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource.

Patches

Fixed in 1.3.0:

  • The route is now protected by Nova's nova:api middleware, which enforces the viewNova gate.
  • The controller now checks the resource's authorizedToUpdate policy.
  • The controller only accepts attributes that are declared as a Toggle field on the resource and are not readonly in the current request context.

Workarounds

Users who cannot upgrade immediately can either remove the package or restrict access to the /nova-vendor/nova-toggle/toggle/* routes via an additional middleware in their application that enforces the viewNova gate.

Credits

nova-toggle-5 thanks Roberto Negro for the responsible disclosure.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "almirhodzic/nova-toggle-5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:00:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn versions `\u003c 1.3.0`, the toggle endpoint (`POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}`) was protected only by `web` + `auth:\u003cguard\u003e` middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource \u2014 including users who do not have access to Nova itself (for example, frontend customers sharing the `web` guard with the Nova admin area).\n\nThe endpoint also accepted an arbitrary `attribute` parameter, which meant a valid caller could toggle any boolean column on the underlying model \u2014 not just columns exposed as `Toggle` fields on the resource.\n\n### Patches\n\nFixed in `1.3.0`:\n\n- The route is now protected by Nova\u0027s `nova:api` middleware, which enforces the `viewNova` gate.\n- The controller now checks the resource\u0027s `authorizedToUpdate` policy.\n- The controller only accepts attributes that are declared as a `Toggle` field on the resource and are not readonly in the current request context.\n\n### Workarounds\n\nUsers who cannot upgrade immediately can either remove the package or restrict access to the `/nova-vendor/nova-toggle/toggle/*` routes via an additional middleware in their application that enforces the `viewNova` gate.\n\n### Credits\n\nnova-toggle-5 thanks [Roberto Negro](https://github.com/RobertoNegro) for the responsible disclosure.",
  "id": "GHSA-f5c8-m5vw-rmgq",
  "modified": "2026-04-24T16:00:09Z",
  "published": "2026-04-24T16:00:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/almirhodzic/nova-toggle-5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/almirhodzic/nova-toggle-5/blob/main/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.