{"id":"CVE-2026-57954","summary":"Elide 7.1.17 - Permission Bypass in Sort Expression Validation","details":"Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.","modified":"2026-07-15T01:49:01.313962765Z","published":"2026-06-29T17:21:55.510Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57954.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-862"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57954.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57954"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/elide-permission-bypass-in-sort-expression-validation"},{"type":"REPORT","url":"https://github.com/yahoo/elide/issues/3415"},{"type":"PACKAGE","url":"https://github.com/yahoo/elide"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yahoo/elide","events":[{"introduced":"0"},{"fixed":"13a63da8aadc9d862d9f8b1a3b47863e246c631b"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"7.1.17"},{"fixed":"7.1.17"}],"source":["AFFECTED_FIELD","DESCRIPTION"]}}],"versions":["7.1.16","7.1.15","7.1.14","7.1.13","7.1.12","7.1.11","7.1.10","7.1.9","7.1.8","7.1.7","7.1.6","7.1.5","7.1.4","7.1.3","7.1.2","7.1.1","7.1.0","7.0.5","7.0.4","7.0.3","7.0.2","7.0.1","7.0.0","7.0.0-pr6","7.0.0-pr5","7.0.0-pr4","7.0.0-pr3","6.1.10","6.1.9","6.1.8","6.1.7","6.1.6","6.1.5","6.1.4","6.1.3","6.1.2","6.1.1","6.1.0","6.0.6","6.0.5","6.0.4","6.0.3","6.0.2","6.0.1","6.0.0","6.0.0-pr7","6.0.0-pr6","6.0.0-pr5","6.0.0-pr4","6.0.0-pr3","6.0.0-pr2","6.0.0-pr1","5.0.12","5.0.11","5.0.10","5.0.9","5.0.8","5.0.7","5.0.6","5.0.5","5.0.4","5.0.3","5.0.2","5.0.1","5.0.0","5.0.0-pr34","5.0.0-pr33","5.0.0-pr32","5.0.0-pr31","5.0.0-pr30","4.6.8","4.6.7","4.6.6","4.6.5","4.6.4","4.6.3","4.6.2","4.6.1","4.6.0","4.5.16","4.5.15","4.5.14","4.5.13","4.5.12","4.5.11","4.5.10","4.5.9","4.5.8","4.5.7","4.5.6","4.5.5","4.5.4","4.5.3","4.5.2","4.5.1","4.5.0","4.4.5","4.4.4","4.4.3","4.4.2","4.4.1","4.4.0","4.3.3","4.3.2","4.3.1","4.3.0","4.2.14","4.2.13","4.2.12","4.2.11","4.2.10","4.2.9","4.2.8","4.2.7","4.2.6","4.2.5","4.2.4","4.2.3","4.2.2","4.2.1","4.2.0","4.1.0","4.0.2","4.0.1","4.0.0","4.0-beta-5","4.0-beta-4","4.0-beta-3","4.0-beta-2","4.0-beta-1","3.2.0","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.16","3.0.15","3.0.14","3.0.13","3.0.12","3.0.11","3.0.10","3.0.9","3.0.8","3.0.7","3.0.6","3.0.5","3.0.4","3.0.3","3.0.2","3.0.1","3.0.0","2.5.2","2.5.1","2.5.0","2.4.13","2.4.12","2.4.11","2.4.9","2.4.8","2.4.7","2.4.6","2.4.5","2.4.4","2.4.3","2.4.2","2.4.1","2.4.0","2.3.17","2.3.16","2.3.15","2.3.14","2.3.13","2.3.12","2.3.11","2.3.10","2.3.9","2.3.8","2.3.7","2.3.6","2.3.5","2.3.4","2.3.3","2.3.2","2.3.1","2.3.0","2.2.2","2.2.1","2.2.0","2.1.0","2.0.10","2.0.9","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","1.0.0.25","1.0.0.24","1.0.0.23","1.0.0.22","1.0.0.21","1.0.0.20","1.0.0.19","1.0.0.18","1.0.0.17","1.0.0.16","1.0.0.15","1.0.0.14","1.0.0.13","1.0.0.12","1.0.0.11","1.0.0.10","1.0.0.9","1.0.0.8","1.0.0.7","1.0.0.6","1.0.0.5","1.0.0.4","elide-parent-pom-1.0.0.3","elide-parent-pom-1.0.0.1","elide-parent-pom-1.0.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57954.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}