PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53911 cerebrate CVE debrief

CVE-2026-53911 is a medium-severity vulnerability in Cerebrate, a software application, that allows an authenticated attacker to modify records due to a mass-assignment issue. The vulnerability has a CVSS score of 6.3 and was published on 2026-06-11T10:16:21.757Z. The issue was fixed in Cerebrate version 1.37.

Vendor
cerebrate
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-11
Advisory published
2026-06-11
Advisory updated
2026-06-11

Who should care

Users of Cerebrate software, particularly those with authenticated access, should be aware of this vulnerability and take steps to upgrade to version 1.37 or apply necessary patches.

Technical summary

The vulnerability, discovered by Jeroen Pinoy with additional support from AI-Assisted Optus 4.8, involves the id primary key field being supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to Cerebrate version 1.37 or later.
  • Review and update entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection.
  • Ensure that the id field is marked as inaccessible in the base AppModel entity.

Evidence notes

The discovery of this vulnerability was inherited from an initial finding by Jeroen Pinoy, with additional support from AI-Assisted Optus 4.8, and coordinated by Andras Iklody.

Official resources

CVE-2026-53911 was published on 2026-06-11T10:16:21.757Z and modified on 2026-06-11T15:24:44.007Z.