Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. view_component
  4. ›
  5. CVE-2026-54497

CVE-2026-54497: ViewComponent: Reused Component Instances Retain Stale Render Context

July 15, 2026

ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.

This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.

References

  • github.com/ViewComponent/view_component/commit/7b05073be28037f7d5ff141e9dd42f3cf47956a4
  • github.com/ViewComponent/view_component/releases/tag/v4.12.0
  • github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49
  • github.com/advisories/GHSA-9h85-g7w3-rh49
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54497.yml
  • nvd.nist.gov/vuln/detail/CVE-2026-54497
  • www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497

Code Behaviors & Features

Detect and mitigate CVE-2026-54497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0.0 before 4.12.0

Fixed versions

  • 4.12.0

Solution

Upgrade to version 4.12.0 or above.

Impact 6.8 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-488: Exposure of Data Element to Wrong Session
  • CWE-668: Exposure of Resource to Wrong Sphere

Source file

gem/view_component/CVE-2026-54497.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 16 Jul 2026 12:16:59 +0000.