๐Ÿ” CVE Alert

CVE-2026-49858

MEDIUM 5.9

API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.

CWE CWE-524 CWE-639
Vendor api-platform
Product core
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for api-platform core

Be the first to know when new medium vulnerabilities affecting api-platform core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

api-platform / core
>= 2.6.0, < 4.1.29 >= 4.2.0, < 4.2.25 >= 4.3.0, < 4.3.8
api-platform / api-platform/hal
>= 2.6.0, < 4.1.29 >= 4.2.0, < 4.2.25 >= 4.3.0, < 4.3.8
api-platform / api-platform/json-api
>= 2.6.0, < 4.1.29 >= 4.2.0, < 4.2.25 >= 4.3.0, < 4.3.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23