Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10298

laravel/boost is vulnerable to Incorrect Authorization

Incorrect Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Mar 5, 2026

71

High Risk

This Affects:

PHPlaravel/boost
1.0.0 - 2.1.7
Fixed in 2.1.8
Are you affected? Scan for Free

TL;DR

Affected versions of this package improperly enforce a read-only guard for SQL statements using Common Table Expressions (CTEs), allowing queries such as WITH x AS (SELECT 1) DELETE FROM users to bypass validation because the regex only checks for the presence of SELECT after WITH. An attacker could exploit this weakness by crafting a malicious CTE that includes a valid SELECT in the CTE body while executing a destructive statement (e.g., DELETE, UPDATE, or INSERT) afterward, effectively performing unauthorized write operations in contexts that are expected to permit only read-only queries.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

laravel/boost is vulnerable to Incorrect Authorization in versions 1.0.0 - 2.1.7.

How to fix this

Upgrade the laravel/boost library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done