3 matches found
CVE-2026-49858 API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. ApiPropertysecurity: ... is evaluated per request...
CVE-2026-49858
API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...
PT-2026-46233
Name of the Vulnerable Software and Affected Versions API Platform Core versions 2.6.0 through 4.1.28 API Platform Core versions 4.2.0 through 4.2.25 API Platform Core versions 4.3.0 through 4.3.11 Description A missing isCacheKeySafe gate in the JSON:API and HAL item normalizers leads to a...