Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. api-platform/json-api
  4. ›
  5. CVE-2026-49858

CVE-2026-49858: API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

July 10, 2026

#[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them.

This is the same vulnerability class as GHSA-428q-q3vv-3fq3 / CVE-2025-31485, which fixed only the GraphQL ItemNormalizer. The JSON:API and HAL paths were not addressed at the time.

References

  • github.com/advisories/GHSA-pjhx-3c3w-9v23
  • github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23
  • nvd.nist.gov/vuln/detail/CVE-2026-49858

Code Behaviors & Features

Detect and mitigate CVE-2026-49858 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0.0 before 4.1.29, all versions starting from 4.2.0 before 4.2.25, all versions starting from 4.3.0 before 4.3.8

Fixed versions

  • 4.1.29
  • 4.2.25
  • 4.3.8

Solution

Upgrade to versions 4.1.29, 4.2.25, 4.3.8 or above.

Impact 5.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-524: Use of Cache Containing Sensitive Information
  • CWE-639: Authorization Bypass Through User-Controlled Key

Source file

packagist/api-platform/json-api/CVE-2026-49858.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 11 Jul 2026 12:17:22 +0000.