CVE-2026-57954 PUBLISHED

Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Assigner: VulnCheck
Reserved: 26.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor yahoo
Product elide
Versions Default: unaffected
  • affected from 0 to 7.1.17 (incl.)

Credits

  • George Chen finder

References

Problem Types

  • Missing Authorization CWE