Weakness Type (CWE)

CWE-862 — CWE-862 Missing Authorization

CAPEC

CVSS 4.0 Score

5.3

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.

The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.

This issue affects oban_web: from 2.12.0 before 2.12.5.

Affected

pkg:hex/oban_web

Module Source File Routine
Oban.Web.Jobs.DetailComponent lib/oban/web/live/jobs/detail_component.ex Oban.Web.Jobs.DetailComponent.handle_event/3
Status Type Version Changes / Fixed in
affected semver 2.12.0 < 2.12.5

pkg:github/oban-bg/oban_web

Module Source File Routine
Oban.Web.Jobs.DetailComponent lib/oban/web/live/jobs/detail_component.ex Oban.Web.Jobs.DetailComponent.handle_event/3
Status Type Version Changes / Fixed in
affected git a17bc8c312 < ab3c5d1d3e

Configurations

The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. :read_only).

References

Credits

  • Finder: Peter Ullrich
  • Remediation developer: Parker Selbert
  • Analyst: Jonatan Männchen

CVE record as JSON:  GET /cves/CVE-2026-48592.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-48592.json