Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
GHSA-qc5p-3mg5-9fh8 · CVE-2026-42205
Published · Modified
Description
Summary
A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.
Details
The vulnerability exists in the action_class method within app/controllers/avo/actions_controller.rb.
Vulnerable Code
def action_class
# It searches through ALL descendants of BaseAction without resource validation
Avo::BaseAction.descendants.find do |action|
action.to_s == params[:action_id]
end
end
The controller identifies the action class to execute solely based on the params[:action_id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).
Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.
Impact
This flaw results in significant security risks:
- Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
- Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
- Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.
Proof of Concept (PoC)
Steps to Reproduce:
- Log in to the Avo admin panel with limited permissions.
- Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g.,
Avo::Actions::ToggleAdmin). - Send a POST request to a resource endpoint where the target action is not registered:
- URL:
POST /admin/resources/posts/actions - Payload:
action_id=Avo::Actions::ToggleAdmin&fields[avo_resource_ids]=1
- URL:
- The server executes the
ToggleAdminlogic on User 1, even though the request was made through thepostsresource context.
PoC Script Snippet:
# Simulating the unauthorized action execution
data = {
'action_id': 'Avo::Actions::ToggleAdmin',
'fields[avo_resource_ids]': '1', # Target Record ID
'authenticity_token': csrf_token
}
response = session.post(f"{BASE_URL}/admin/resources/posts/actions", data=data)
Remediation
Restrict the action lookup to only those actions explicitly registered for the current resource context:
def action_class
# Validate that the action is registered for the current resource
@resource.get_actions.find do |action|
action.to_s == params[:action_id]
end
end
Discoverer
Illunight
References
- WEB https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42205
- PACKAGE https://github.com/avo-hq/avo
- WEB https://github.com/avo-hq/avo/releases/tag/v3.31.2
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2026-42205.yml
Ready to move
Start Securing
Free, no credit card | First findings in minutes