CVE-2026-42205

Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Assigner: GitHub_M
Reserved: 25.04.2026 Published: 08.05.2026 Updated: 08.05.2026

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	avo-hq
Product	avo
Versions	Version < 3.31.2 is affected

Vendor

avo-hq

Product

avo

Versions

Version < 3.31.2 is affected

References

Problem Types

CWE-284: Improper Access Control CWE
CWE-639: Authorization Bypass Through User-Controlled Key CWE

CVE-2026-42205 PUBLISHED

Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Metrics

Product Status

References

Problem Types