GHSA-QC5P-3MG5-9FH8
Vulnerability from github – Published: 2026-04-24 16:11 – Updated: 2026-04-24 16:11
VLAI?
Summary
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
Details
Summary
A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.
Details
The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.
Vulnerable Code
def action_class
# It searches through ALL descendants of BaseAction without resource validation
Avo::BaseAction.descendants.find do |action|
action.to_s == params[:action_id]
end
end
The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).
Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.
Impact
This flaw results in significant security risks:
- Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
- Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
- Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.
Proof of Concept (PoC)
Steps to Reproduce:
- Log in to the Avo admin panel with limited permissions.
- Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g.,
Avo::Actions::ToggleAdmin). - Send a POST request to a resource endpoint where the target action is not registered:
- URL:
POST /admin/resources/posts/actions - Payload:
action_id=Avo::Actions::ToggleAdmin&fields[avo_resource_ids]=1
- URL:
- The server executes the
ToggleAdminlogic on User 1, even though the request was made through thepostsresource context.
PoC Script Snippet:
# Simulating the unauthorized action execution
data = {
'action_id': 'Avo::Actions::ToggleAdmin',
'fields[avo_resource_ids]': '1', # Target Record ID
'authenticity_token': csrf_token
}
response = session.post(f"{BASE_URL}/admin/resources/posts/actions", data=data)
Remediation
Restrict the action lookup to only those actions explicitly registered for the current resource context:
def action_class
# Validate that the action is registered for the current resource
@resource.get_actions.find do |action|
action.to_s == params[:action_id]
end
end
Discoverer
Illunight
Severity ?
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "avo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.31.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:11:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nA critical Broken Access Control vulnerability was identified in the `ActionsController` of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of `Avo::BaseAction`) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.\n\n### Details\n\nThe vulnerability exists in the `action_class` method within `app/controllers/avo/actions_controller.rb`.\n\n#### Vulnerable Code\n\n```ruby\ndef action_class\n # It searches through ALL descendants of BaseAction without resource validation\n Avo::BaseAction.descendants.find do |action|\n action.to_s == params[:action_id]\n end\nend\n```\n\nThe controller identifies the action class to execute solely based on the `params[:action_id]` by searching through all `BaseAction` descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., `/admin/resources/posts/actions`).\n\nConsequently, an attacker can invoke sensitive actions (e.g., `Avo::Actions::ToggleAdmin`) through an unrelated resource endpoint (e.g., `Post`), bypassing the intended resource-action mapping.\n\n### Impact\n\nThis flaw results in significant security risks:\n\n- **Privilege Escalation:** An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others\u0027 permissions.\n- **Unauthorized Operations:** Actions designed for restricted resources can be triggered against any record ID in the database.\n- **Data Integrity Compromise:** Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.\n\n### Proof of Concept (PoC)\n\n**Steps to Reproduce:**\n\n01. Log in to the Avo admin panel with limited permissions.\n02. Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., `Avo::Actions::ToggleAdmin`).\n03. Send a POST request to a resource endpoint where the target action is not registered:\n - **URL:** `POST /admin/resources/posts/actions`\n - **Payload:** `action_id=Avo::Actions::ToggleAdmin\u0026fields[avo_resource_ids]=1`\n04. The server executes the `ToggleAdmin` logic on User 1, even though the request was made through the `posts` resource context.\n\n**PoC Script Snippet:**\n\n```python\n# Simulating the unauthorized action execution\ndata = {\n \u0027action_id\u0027: \u0027Avo::Actions::ToggleAdmin\u0027,\n \u0027fields[avo_resource_ids]\u0027: \u00271\u0027, # Target Record ID\n \u0027authenticity_token\u0027: csrf_token\n}\nresponse = session.post(f\"{BASE_URL}/admin/resources/posts/actions\", data=data)\n```\n\n### Remediation\n\nRestrict the action lookup to only those actions explicitly registered for the current resource context:\n\n```ruby\ndef action_class\n # Validate that the action is registered for the current resource\n @resource.get_actions.find do |action|\n action.to_s == params[:action_id]\n end\nend\n```\n\n### Discoverer\n\nIllunight",
"id": "GHSA-qc5p-3mg5-9fh8",
"modified": "2026-04-24T16:11:28Z",
"published": "2026-04-24T16:11:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8"
},
{
"type": "PACKAGE",
"url": "https://github.com/avo-hq/avo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…