PatchSiren cyber security CVE debrief
CVE-2026-55736 ash-project CVE debrief
CVE-2026-55736 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash. The issue allows a user to set the value of a private action argument intended to be controlled only by trusted server-side code. This occurs because Ash filters out private arguments incompletely when building a changeset from a parameter map. Specifically, private arguments are stripped only when the parameter key is an atom, but not when the key is a binary (string), as is the case for user-supplied parameters. This vulnerability can lead to integrity violations or privilege escalation, depending on how the application uses the argument. The affected versions of ash range from 3.0.0 before 3.29.3.
- Vendor
- ash-project
- Product
- ash
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-25
Who should care
Developers and administrators using ash-project ash versions between 3.0.0 and 3.29.3 should be aware of this vulnerability. This issue could allow attackers to inject values for private action arguments, potentially leading to unauthorized actions or data modifications. Applications that use private action arguments for authorization or record ownership are particularly at risk.
Technical summary
The vulnerability arises from incomplete filtering of private arguments in Ash changesets. When building a changeset from a parameter map, Ash is supposed to filter out private arguments. However, this filtering fails when the parameter key is a binary (string), which is common for user-supplied input. In the regular changeset path (for_create, for_update, for_destroy), private arguments are only stripped when the parameter key is an atom. In atomic paths (Ash.Changeset.fully_atomic_changeset/4, atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. This allows attackers to set values for private action arguments, which could be used for malicious purposes such as privilege escalation or data tampering.
Defensive priority
Medium priority should be given to addressing this vulnerability, as it could lead to integrity violations or privilege escalation. The CVSS score of 5.9 indicates a medium severity level.
Recommended defensive actions
- Upgrade ash-project ash to version 3.29.3 or later to fix the vulnerability.
- Review application code to identify and protect sensitive private action arguments.
- Implement additional input validation and sanitization for user-supplied parameters.
- Monitor application logs for suspicious activity related to private action arguments.
- Consider implementing compensating controls, such as role-based access control, to mitigate potential impacts.
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. Additional sources, including the ash-project ash advisory and OSV vulnerability report, offer further context and technical details. The CVE was published on 2026-06-23 and modified on 2026-06-25.
Official resources
-
CVE-2026-55736 CVE record
CVE.org
-
CVE-2026-55736 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
This article is AI-assisted and based on the supplied source corpus.