Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-48042

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-07 Sep, 2025 | 16:01
Updated At-20 Feb, 2026 | 12:59
Rejected At-
Credits

Before action hooks may execute in certain scenarios despite a request being forbidden

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:07 Sep, 2025 | 16:01
Updated At:20 Feb, 2026 | 12:59
Rejected At:
▼CVE Numbering Authority (CNA)
Before action hooks may execute in certain scenarios despite a request being forbidden

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.

Affected Products
Vendor
ash-project
Product
ash
Collection URL
https://repo.hex.pm
Package Name
ash
Repo
https://github.com/ash-project/ash
CPEs
  • cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Program Files
  • lib/ash/actions/create/bulk.ex
  • lib/ash/actions/destroy/bulk.ex
  • lib/ash/actions/update/bulk.ex
Program Routines
  • 'Elixir.Ash.Actions.Create.Bulk':run/5
  • 'Elixir.Ash.Actions.Destroy.Bulk':run/6
  • 'Elixir.Ash.Actions.Update.Bulk':run/6
Default Status
unaffected
Versions
Affected
  • From 0 before 3.5.39 (semver)
  • From pkg:hex/ash@0 before pkg:hex/ash@3.5.39 (purl)
Vendor
ash-project
Product
ash
Collection URL
https://github.com
Package Name
ash-project/ash
Repo
https://github.com/ash-project/ash
CPEs
  • cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Program Files
  • lib/ash/actions/create/bulk.ex
  • lib/ash/actions/destroy/bulk.ex
  • lib/ash/actions/update/bulk.ex
Program Routines
  • 'Elixir.Ash.Actions.Create.Bulk':run/5
  • 'Elixir.Ash.Actions.Destroy.Bulk':run/6
  • 'Elixir.Ash.Actions.Update.Bulk':run/6
Default Status
unaffected
Versions
Affected
  • From 0 before 5d1b6a5d00771fd468a509778637527b5218be9a (git)
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863 Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863 Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-180CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC ID: CAPEC-180
Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
Solutions
Configurations
Workarounds
Exploits
Credits
remediation developer
Zach Daniel
analyst
Jonatan Männchen
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9
vendor-advisory
https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a
patch
Hyperlink: https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9
Resource:
vendor-advisory
Hyperlink: https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:07 Sep, 2025 | 16:15
Updated At:08 Sep, 2025 | 16:25

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-863Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-863
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh96b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
Hyperlink: https://github.com/ash-project/ash/commit/5d1b6a5d00771fd468a509778637527b5218be9a
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/ash-project/ash/security/advisories/GHSA-jj4j-x5ww-cwh9
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2025-48043
Matching Score-6
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-6
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.6||HIGH
EPSS-0.14% / 34.85%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 15:57
Updated-20 Feb, 2026 | 12:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization

Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae.

Action-Not Available
Vendor-ash-project
Product-ash
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-48044
Matching Score-6
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-6
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.6||HIGH
EPSS-0.14% / 34.85%
||
7 Day CHG~0.00%
Published-17 Oct, 2025 | 13:52
Updated-20 Feb, 2026 | 11:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization bypass when bypass policy condition evaluates to true

Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.

Action-Not Available
Vendor-ash-project
Product-ash
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-25859
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-07 Feb, 2026 | 21:59
Updated-10 Feb, 2026 | 21:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeKan < 8.20 Migration Functionality Insufficient Permission Checks

Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

Action-Not Available
Vendor-wekan_projectWeKan
Product-wekanWeKan
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-34273
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.22% / 44.40%
||
7 Day CHG~0.00%
Published-30 Oct, 2025 | 21:24
Updated-17 Nov, 2025 | 21:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nagios Log Server < 2024R2.0.3 Non-Admin Dashboard Deletion

Nagios Log Server versions prior to 2024R2.0.3 contain an incorrect authorization vulnerability that allows non-administrator users to delete global dashboards. The application did not correctly enforce authorization checks for the global dashboard deletion workflow, enabling lower-privileged users to remove dashboards that affect other users or the overall monitoring UI.

Action-Not Available
Vendor-Nagios Enterprises, LLC
Product-log_serverLog Server
CWE ID-CWE-863
Incorrect Authorization
Details not found