CVE-2026-48089 l3montree-dev CVE debrief

Who should care

Organizations using DevGuard's vulnerability management API, especially those with public assets, should prioritize updating to version 1.4.2 or restricting asset visibility to prevent unauthorized access. Security teams and administrators responsible for DevGuard instances must assess their exposure and take necessary actions.

Technical summary

The vulnerability exists in DevGuard's API, specifically in the handling of public assets and vulnerability-triage write endpoints. An authenticated user, regardless of their membership or role in the affected organization, project, or asset, can perform actions such as creating, updating, reapplying, and deleting VEX rules. This is possible due to an authorization bypass in the access-control middleware for public assets. The issue is addressed in version 1.4.2, which includes a patch to correct the authorization logic.

Defensive priority

High priority due to potential for unauthorized access to public assets and vulnerability management functionality.

Recommended defensive actions

• Update DevGuard to version 1.4.2 or later to apply the patch.
• Make affected assets non-public to restrict visibility and prevent unauthorized access.
• Review and restrict access to vulnerability-triage write endpoints for public assets.
• Monitor for suspicious activity on DevGuard instances, especially those with public assets.
• Verify that downstream consumers relying on public endpoints are granted explicit access or receive exported file versions.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the available patch. GitHub references offer additional context and a commit hash for the fix. The CVSS score and vector indicate the severity and characteristics of the vulnerability.

Official resources