AIKIDO-2026-11054
avo is vulnerable to Incorrect Authorization
65
Medium Risk
This Affects:
avoTL;DR
Avo’s direct attachment upload endpoint does not enforce server-side authorization and bypasses the documented field-level policy checks, allowing attachment changes even when update? and upload_<field>? explicitly deny them. In affected multi-role Avo Pro/Advanced deployments, a low-privileged authenticated user who can access the upload route may add or replace files on existing records, including arbitrary binary content, filenames, and content-type metadata. An attacker could exploit this by targeting records they should not be able to modify and uploading unauthorized files or tampered attachments, potentially leading to data integrity issues, malicious file placement, or abuse of trusted file-handling workflows.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
avo is vulnerable to Incorrect Authorization in versions 2.28.0 - 3.31.2.
How to fix this
Upgrade the avo library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant