{"id":"CVE-2026-48089","summary":"DevGuard has improper authorization on public assets","details":"DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.","aliases":["GHSA-6p54-fw2f-q7gf","GO-2026-5183"],"modified":"2026-07-08T08:12:34.914429477Z","published":"2026-06-19T19:38:04.175Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48089.json","cwe_ids":["CWE-285","CWE-863"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48089.json"},{"type":"ADVISORY","url":"https://github.com/l3montree-dev/devguard/security/advisories/GHSA-6p54-fw2f-q7gf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48089"},{"type":"FIX","url":"https://github.com/l3montree-dev/devguard/commit/1be88ec1309a5dc0566e35a23bdc4ea3ecd11417"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/l3montree-dev/devguard","events":[{"introduced":"0"},{"fixed":"1be88ec1309a5dc0566e35a23bdc4ea3ecd11417"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.4.2"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v1.4.1","v1.4.0-rc.1","v1.4.0","v1.3.1","v1.3.0","v1.2.0","v1.1.0","v1.0.1","v1.0.0","v1.0.0-rc.18","v1.0.0-rc.17","v1.0.0-rc.16","v1.0.0-rc.15","v1.0.0-rc.14","v1.0.0-rc.13","v1.0.0-rc.12","v1.0.0-rc.11","v1.0.0-rc.10","v1.0.0-rc.9","v1.0.0-rc.8","v1.0.0-rc.7","v1.0.0-rc.6","v1.0.0-rc.5","v1.0.0-rc.4","v1.0.0-rc.3","v1.0.0-rc.2","v1.0.0-rc.1","v0.19.2","v0.19.1","v0.19.0","v0.18.9","v0.18.5","v0.18.8","v0.18.7","v0.18.6","v0.18.4","v0.18.3","v0.18.2","v0.18.1","0.18.1","v0.18.0","v0.17.5","v0.17.4","v0.17.3","v0.17.2","v0.17.1","v0.17.0","0.16.0","0.15.3","0.15.2","0.15.1","0.15.0","0.14.4","0.14.3","0.14.2","0.14.1","0.14.0","0.13.18","0.13.17","0.13.16","0.13.15","0.13.14","0.13.13","0.13.12","0.13.11","0.13.9","0.13.10","0.13.3","0.13.4","0.13.2","0.13.1","0.13.0","0.12.3","0.12.2","0.12.1","0.12.0","0.11.0","0.11.1","0.10.1","0.10.0","0.9.1","0.9.0","devguard-0.5.20","devguard-0.5.19","0.8.3","devguard-0.5.18","0.8.2","0.8.1","0.8.0","0.7.0","0.6.0","devguard-0.5.17","devguard-0.5.15","devguard-0.5.14","devguard-0.5.13","v0.5.14","0.5.13","devguard-0.5.12","devguard-0.5.10","devguard-0.5.9","devguard-0.5.8","devguard-0.5.7","devguard-0.5.6","devguard-0.5.5","devguard-0.5.4","v0.4.19","devguard-0.4.19","v0.5.0","devguard-0.5.0","v0.4.18","devguard-0.4.18","v0.4.17","devguard-0.4.17","devguard-0.4.16","v0.4.16","flawfix-0.4.16","v0.4.15","flawfix-0.4.15","v0.4.14","flawfix-0.4.14","v0.4.13","flawfix-0.4.13","v0.4.12","flawfix-0.4.12","v0.4.11","flawfix-0.4.11","v0.4.10","flawfix-0.4.10","v0.4.9","flawfix-0.4.9","v0.4.8","flawfix-0.4.8","v0.4.7","flawfix-0.4.7","v0.4.6","flawfix-0.4.6","v0.4.5","flawfix-0.4.5","v0.4.4","flawfix-0.4.4","v0.4.3","flawfix-0.4.1","v0.4.2","v0.4.1","flawfix-0.4.0","v0.4.0","v0.3.1","v0.3.0","v0.2.0","flawfix-0.2.0","flawfix-0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48089.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:N"}]}