GHSA-6P54-FW2F-Q7GF

Vulnerability from github – Published: 2026-06-11 20:26 – Updated: 2026-06-11 20:26
VLAI
Summary
DevGuard has improper authorization on public assets
Details

Impact

On a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including:

  • VEX rule create / update / reapply / delete
  • Dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation
  • License risk creation
  • External reference writes
  • Artifact creation and license refresh

The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required.

Security impact is primarily to integrity of the vulnerability picture of public assets: an attacker can mark CVEs as false-positive, silence vulnerabilities, attach misleading justifications, or delete legitimate triage rules — undermining the trustworthiness of every consumer of the affected asset's VEX/SBOM output. Because public assets are by definition consumed by third parties (downstream users, supply-chain consumers, the published vex.json/sbom.json), the blast radius extends to anyone relying on that data.

Private assets are not affected by this advisory: the public-read exemption that enables the bypass does not apply to them, and access remains correctly gated by organization/project membership. The private setting is only relevant in DevGuard itself — there is no impact given when you have an open-source project on e.g. GitLab/GitHub and a private DevGuard asset connected.

Patches

Version v1.4.2contains a patch. Users should upgrade to the patched release as soon as it is available.

Workarounds

If developers cannot upgrade their applications immediately:

  • ** They should make affected assets non-public.** In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public vex.json / sbom.json endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.

Resources

Fixed commit: https://github.com/l3montree-dev/devguard/commit/1be88ec1309a5dc0566e35a23bdc4ea3ecd11417

Credit

DeevGuard thanks @philipflohr (awesome-it.de) for finding and responsibly reporting this vulnerability!

Severity
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/l3montree-dev/devguard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T20:26:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nOn a DevGuard API instance with one or more **public assets**, any authenticated user \u2014 including users from a different organization with no membership or role in the affected org/project \u2014 can create, update, reapply, and delete **VEX rules** on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including:\n\n- VEX rule create / update / reapply / delete\n- Dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation\n- License risk creation\n- External reference writes\n- Artifact creation and license refresh\n\nThe attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required.\n\n**Security impact** is primarily to **integrity** of the vulnerability picture of public assets: an attacker can mark CVEs as false-positive, silence vulnerabilities, attach misleading justifications, or delete legitimate triage rules \u2014 undermining the trustworthiness of every consumer of the affected asset\u0027s VEX/SBOM output. Because public assets are by definition consumed by third parties (downstream users, supply-chain consumers, the published vex.json/sbom.json), the blast radius extends to anyone relying on that data.\n\nPrivate assets are **not affected** by this advisory: the public-read exemption that enables the bypass does not apply to them, and access remains correctly gated by organization/project membership. The private setting is only relevant in DevGuard itself \u2014  there is no impact given when you have an open-source project on e.g. GitLab/GitHub and a private DevGuard asset connected.\n\n### Patches\n\nVersion `v1.4.2`contains a patch. Users should upgrade to the patched release as soon as it is available.\n\n### Workarounds\n\nIf developers cannot upgrade their applications immediately:\n\n- ** They should make affected assets non-public.** In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.\n\n### Resources\nFixed commit: https://github.com/l3montree-dev/devguard/commit/1be88ec1309a5dc0566e35a23bdc4ea3ecd11417\n\n### Credit\n\nDeevGuard thanks @philipflohr ([awesome-it.de](https://awesome-it.de/)) for finding and responsibly reporting this vulnerability!",
  "id": "GHSA-6p54-fw2f-q7gf",
  "modified": "2026-06-11T20:26:18Z",
  "published": "2026-06-11T20:26:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/l3montree-dev/devguard/security/advisories/GHSA-6p54-fw2f-q7gf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/l3montree-dev/devguard/commit/1be88ec1309a5dc0566e35a23bdc4ea3ecd11417"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/l3montree-dev/devguard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DevGuard has improper authorization on public assets"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.