Threat Advisory

Avo Vulnerability Exposes Upload Authorization

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53769 with a CVSS score of 6.5 is a vulnerability in the avo package, specifically affecting versions 2.28.0 to 3.32.0, where the direct attachment upload endpoint lacks server-side upload authorization, allowing an authenticated Avo user to bypass the documented field-level upload policy methods, such as `upload_{FIELD_ID}?`, and upload or replace attachment content, including binary content, filename, and content-type metadata, on a resolved record, even when both `update?` and `upload_?` policies deny the operation, by directly posting to the vulnerable endpoint, which is particularly concerning in multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies, and if exploited, this vulnerability can lead to unauthorized data modification, potentially resulting in business impact and consequences, including data breaches or corruption, and prerequisites for exploitation include an attacker having authenticated access to the Avo application and being able to reach the direct attachment upload endpoint.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53769 with a CVSS score of 6.5 is a vulnerability in the avo package, specifically affecting versions 2.28.0 to 3.32.0, where the direct attachment upload endpoint lacks server-side upload authorization, allowing an authenticated Avo user to bypass the documented field-level upload policy methods, such as `upload_{FIELD_ID}?`, and upload or replace attachment content, including binary content, filename, and content-type metadata, on a resolved record, even when both `update?` and `upload_?` policies deny the operation, by directly posting to the vulnerable endpoint, which is particularly concerning in multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies, and if exploited, this vulnerability can lead to unauthorized data modification, potentially resulting in business impact and consequences, including data breaches or corruption, and prerequisites for exploitation include an attacker having authenticated access to the Avo application and being able to reach the direct attachment upload endpoint.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update avo to version 3.32.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-pqpw-cvm4-8mv9

[/emaillocker]
crossmenu