Threat Advisory

API Platform Core Vulnerable to Cross-User Attribute Leak

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting api-platform/core versions >= 4.3.0, < 4.3.8 affecting api-platform/json-api versions >= 4.0.0, < 4.1.29 affecting api-platform/core versions >= 2.6.0, < 4.1.29 affecting api-platform/core versions >= 4.2.0, < 4.2.25 have been identified in api-platform/core, api-platform/json-api and api-platform/hal. The overall risk/impact is medium.

CVE-2026-49858 (CVSS 5.9 — Severity): A cross-user attribute leak vulnerability exists in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate, allowing a user with lower privileges to see the structure of properties that the security predicate would otherwise have hidden for them.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting api-platform/core versions >= 4.3.0, < 4.3.8 affecting api-platform/json-api versions >= 4.0.0, < 4.1.29 affecting api-platform/core versions >= 2.6.0, < 4.1.29 affecting api-platform/core versions >= 4.2.0, < 4.2.25 have been identified in api-platform/core, api-platform/json-api and api-platform/hal. The overall risk/impact is medium.

CVE-2026-49858 (CVSS 5.9 — Severity): A cross-user attribute leak vulnerability exists in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate, allowing a user with lower privileges to see the structure of properties that the security predicate would otherwise have hidden for them.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update api-platform/core to version 4.1.29.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu