CVE-2026-42202

MEDIUM 6.5

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.

CWE	CWE-285
Vendor	almirhodzic
Product	nova-toggle-5
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for almirhodzic nova-toggle-5

Be the first to know when new medium vulnerabilities affecting almirhodzic nova-toggle-5 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

almirhodzic / nova-toggle-5

< 1.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq github.com: https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0