PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48592 oban-bg CVE debrief

A missing authorization check in Oban Web's job detail component allows read-only users to substitute job workers. The `handle_event/3` callback for the `save-job` event in `Elixir.Oban.Web.Jobs.DetailComponent` fails to verify user privileges via the `can?/2` function, unlike sibling handlers for cancel, delete, and retry operations. An authenticated attacker with `:read_only` access can forge a LiveView WebSocket event to overwrite a job's `worker` field with any existing `Oban.Worker` module in the application. When the job next executes, Oban invokes `perform/1` on the attacker-selected module instead of the intended worker. This affects oban_web versions 2.12.0 through 2.12.4.

Vendor
oban-bg
Product
oban_web
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-27
Advisory published
2026-05-26
Advisory updated
2026-05-27

Who should care

Organizations running Oban Web versions 2.12.0-2.12.4 with multi-user dashboard access, particularly those granting read-only permissions to operational or support staff. Elixir/Phoenix applications using Oban for background job processing where worker modules perform sensitive or privileged operations.

Technical summary

The vulnerability stems from inconsistent authorization enforcement across event handlers in Oban Web's job management interface. While `cancel`, `delete`, and `retry` operations validate user privileges through a `can?/2` helper, the `save-job` handler lacks this verification. This asymmetry permits privilege escalation from read-only access to arbitrary worker execution. The attack vector requires authenticated WebSocket access to the LiveView dashboard, making it exploitable by any user with dashboard visibility. The impact is bounded by the attacker's ability to only select from existing worker modules rather than arbitrary code execution, though this still enables unauthorized business logic invocation and potential data manipulation through alternative worker implementations.

Defensive priority

medium

Recommended defensive actions

  • Upgrade oban_web to version 2.12.5 or later
  • Review application logs for unauthorized job worker modifications between 2026-05-26 and patch deployment
  • Audit user access levels to ensure least-privilege principles for Oban Web dashboard access
  • Implement network segmentation to limit LiveView WebSocket exposure to authorized administrative hosts only
  • Monitor for anomalous job execution patterns indicating worker substitution

Evidence notes

CVE description confirms the vulnerability exists in the `handle_event/3` callback for `save-job` events within `Elixir.Oban.Web.Jobs.DetailComponent`. The fix commit (ref-5) adds authorization checks to align with sibling handlers. GitHub Security Advisory (ref-6) provides vendor acknowledgment. CWE-862 (Missing Authorization) is assigned per source metadata.

Official resources

2026-05-26