EXECUTIVE SUMMARY:
CVE-2026-55518 with a CVSS score of 9.6 is a critical missing authorization flaw in the Avo association attach workflow, affecting versions of the avo package less than or equal to 3.32.0 and versions greater than or equal to 4.0.0.beta.1 but less than 4.0.0.beta.51. This vulnerability allows an authenticated low-privileged Avo user to bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request to the /resources /:resource /:id/:related endpoint. An attacker can exploit this vulnerability by using the POST endpoint, which requires authenticated access, to attach a related record to a parent record, gaining the capability to manipulate relationships and potentially escalate privileges. If exploited, this vulnerability can lead to significant business impact, including privilege escalation and cross-tenant data exposure, particularly in applications where associations represent teams, tenants, roles, projects, users, memberships, ownership, or other authorization-bearing relationships. Prerequisites for exploitation include a Rails application mounted with Avo, enabled Avo authorization, a low-privileged user able to authenticate to Avo, and reachable parent and related records by ID, as well as a relevant policy that denies attaching the relationship.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55518 with a CVSS score of 9.6 is a critical missing authorization flaw in the Avo association attach workflow, affecting versions of the avo package less than or equal to 3.32.0 and versions greater than or equal to 4.0.0.beta.1 but less than 4.0.0.beta.51. This vulnerability allows an authenticated low-privileged Avo user to bypass hidden or disabled attach controls and directly attach related records to a parent record by sending a crafted POST request to the /resources /:resource /:id/:related endpoint. An attacker can exploit this vulnerability by using the POST endpoint, which requires authenticated access, to attach a related record to a parent record, gaining the capability to manipulate relationships and potentially escalate privileges. If exploited, this vulnerability can lead to significant business impact, including privilege escalation and cross-tenant data exposure, particularly in applications where associations represent teams, tenants, roles, projects, users, memberships, ownership, or other authorization-bearing relationships. Prerequisites for exploitation include a Rails application mounted with Avo, enabled Avo authorization, a low-privileged user able to authenticate to Avo, and reachable parent and related records by ID, as well as a relevant policy that denies attaching the relationship.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update avo to version 3.32.1 or 4.0.0.beta.51.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8fq9-273g-6mrg