Intel

AIKIDO-2026-217972

ash is vulnerable to Attribute Injection

Attribute InjectionCVE-2026-55736 Published Jun 25, 2026

59

Medium Risk

This Affects:

elixirash
3.0.0 - 3.29.2
Fixed in 3.29.3
Are you affected? Scan for Free

TL;DR

Affected versions of Ash do not consistently filter private action arguments (public?: false) from user-supplied parameter maps, allowing attackers to set values intended for trusted server-side code. Applications that expose actions with private arguments to untrusted users may be vulnerable to integrity violations or privilege escalation if those arguments influence authorization, identity, or record ownership.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

ash is vulnerable to Attribute Injection in versions 3.0.0 - 3.29.2.

How to fix this

Upgrade the ash library to the patch version.