Multiple security vulnerabilities affecting api-platform/core versions >= 4.3.0, < 4.3.8 affecting api-platform/json-api versions >= 4.0.0, < 4.1.29 affecting api-platform/core versions >= 2.6.0, < 4.1.29 affecting api-platform/core versions >= 4.2.0, < 4.2.25 have been identified in api-platform/core, api-platform/json-api and api-platform/hal. The overall risk/impact is medium.
CVE-2026-49858 (CVSS 5.9 — Severity): A cross-user attribute leak vulnerability exists in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate, allowing a user with lower privileges to see the structure of properties that the security predicate would otherwise have hidden for them.[/subscribe_to_unlock_form]
Multiple security vulnerabilities affecting api-platform/core versions >= 4.3.0, < 4.3.8 affecting api-platform/json-api versions >= 4.0.0, < 4.1.29 affecting api-platform/core versions >= 2.6.0, < 4.1.29 affecting api-platform/core versions >= 4.2.0, < 4.2.25 have been identified in api-platform/core, api-platform/json-api and api-platform/hal. The overall risk/impact is medium.
CVE-2026-49858 (CVSS 5.9 — Severity): A cross-user attribute leak vulnerability exists in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate, allowing a user with lower privileges to see the structure of properties that the security predicate would otherwise have hidden for them.[emaillocker id="1283"]
We recommend you to update api-platform/core to version 4.1.29.
The following reports contain further technical details:
[/emaillocker]