CVE-2026-55736

Private action arguments can be set by user input in Ash

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-915 — CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

CAPEC

• CAPEC-77 — CAPEC-77 Manipulating User-Controlled Variables

CVSS 4.0 Score

5.9

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.

Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.

In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.

An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.

This issue affects ash: from 3.0.0 before 3.29.3.

Affected

pkg:hex/ash

Module	Source File	Routine
Ash.Changeset	lib/ash/changeset/changeset.ex	Ash.Changeset.cast_params/4
		Ash.Changeset.get_action_argument/2
		Ash.Changeset.atomic_params/4
		Ash.Changeset.has_argument?/2

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	3.0.0	< 3.29.3

pkg:github/ash-project/ash

Module	Source File	Routine
Ash.Changeset	lib/ash/changeset/changeset.ex	Ash.Changeset.cast_params/4
		Ash.Changeset.get_action_argument/2
		Ash.Changeset.atomic_params/4
		Ash.Changeset.has_argument?/2

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	5967ed3a48	< d9b3100219

Configurations

An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update.

References

• https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-55736 related
• https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea patch

Credits

• Finder: Alfred Vié
• Remediation reviewer: Zach Daniel
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-55736.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-55736.json