{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48592","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-26T20:46:44.585227Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-26T20:46:50.037Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://repo.hex.pm","cpes":["cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Oban.Web.Jobs.DetailComponent'"],"packageName":"oban_web","packageURL":"pkg:hex/oban_web","product":"oban_web","programFiles":["lib/oban/web/live/jobs/detail_component.ex"],"programRoutines":[{"name":"'Elixir.Oban.Web.Jobs.DetailComponent':handle_event/3"}],"vendor":"oban-bg","versions":[{"lessThan":"2.12.5","status":"affected","version":"2.12.0","versionType":"semver"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Oban.Web.Jobs.DetailComponent'"],"packageName":"oban-bg/oban_web","packageURL":"pkg:github/oban-bg/oban_web","product":"oban_web","programFiles":["lib/oban/web/live/jobs/detail_component.ex"],"programRoutines":[{"name":"'Elixir.Oban.Web.Jobs.DetailComponent':handle_event/3"}],"repo":"https://github.com/oban-bg/oban_web.git","vendor":"oban-bg","versions":[{"lessThan":"ab3c5d1d3eba06c62045f16f2cd7781c7752e248","status":"affected","version":"a17bc8c31286c9d516e2892cf5483d1c95e65d6c","versionType":"git"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. <tt>:read_only</tt>).</p>"}],"value":"The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. :read_only)."}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*","versionEndExcluding":"2.12.5","versionStartIncluding":"2.12.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Peter Ullrich"},{"lang":"en","type":"remediation developer","value":"Parker Selbert"},{"lang":"en","type":"analyst","value":"Jonatan Männchen / EEF"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Missing Authorization vulnerability in oban-bg oban_web (<tt>'Elixir.Oban.Web.Jobs.DetailComponent'</tt> modules) allows unauthorized job worker substitution.</p><p>The <tt>handle_event(\"save-job\", ...)</tt> handler in <tt>'Elixir.Oban.Web.Jobs.DetailComponent'</tt> does not perform an authorization check, unlike the sibling <tt>cancel</tt>, <tt>delete</tt>, and <tt>retry</tt> handlers which all verify the caller's privileges via <tt>can?/2</tt>. An authenticated user with <tt>:read_only</tt> access can push a forged <tt>save-job</tt> LiveView WebSocket event to overwrite a job's <tt>worker</tt> field with any other existing <tt>Oban.Worker</tt> module in the application. On the job's next execution attempt, Oban will invoke <tt>perform/1</tt> on the attacker-chosen module instead of the intended one.</p><p>This issue affects oban_web: from 2.12.0 before 2.12.5.</p>"}],"value":"Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.\n\nThe handle_event(\"save-job\", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.\n\nThis issue affects oban_web: from 2.12.0 before 2.12.5."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.3,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-27T15:41:23.434Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-48592.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-48592"},{"tags":["patch"],"url":"https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248"}],"source":{"discovery":"EXTERNAL"},"title":"Missing authorization check on save-job event handler in oban_web","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-48592","datePublished":"2026-05-26T19:46:48.611Z","dateReserved":"2026-05-22T09:36:56.834Z","dateUpdated":"2026-05-27T15:41:23.434Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}