๐Ÿ” CVE Alert

CVE-2026-54164

MEDIUM 6.5

API Platform Core: Missing IRI type check enables resource type confusion

CVSS Score
6.5
EPSS Score
0.2%
EPSS Percentile
9th

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.

CWE CWE-843
Vendor api-platform
Product core
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for api-platform core

Be the first to know when new medium vulnerabilities affecting api-platform core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

api-platform / core
< 4.1.30 >= 4.2.0, < 4.2.26 >= 4.3.0, < 4.3.12

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h