EXECUTIVE SUMMARY:
CVE-2026-48089 with a CVSS score of 7.1 is a privilege‑escalation‑type flaw in DevGuard (go/github.com/l3montree-dev/devguard) that affects all versions prior to 1.4.2; the vulnerability stems from an improper authorization check on API endpoints that manage public assets. When a DevGuard instance hosts one or more public assets, any authenticated user—regardless of organization, project membership, or role—can issue standard REST calls to create, update, reapply, or delete VEX rules, as well as submit dependency‑vuln events, license risk entries, external references, and artifact updates for those assets. Exploitation requires only a valid account on the DevGuard server; no additional privileges or network proximity are needed, and the attacker need only target the public‑read‑exempt endpoints. By abusing this weakness, an adversary can manipulate the integrity of the vulnerability picture presented to downstream consumers, marking real CVEs as false‑positives, silencing alerts, or erasing legitimate triage data, thereby undermining trust in the published vex.json or sbom.json and potentially violating compliance or security policies. The attack is contingent on the presence of public assets; private assets remain correctly gated, and the flaw does not affect assets that are not publicly exposed.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48089 with a CVSS score of 7.1 is a privilege‑escalation‑type flaw in DevGuard (go/github.com/l3montree-dev/devguard) that affects all versions prior to 1.4.2; the vulnerability stems from an improper authorization check on API endpoints that manage public assets. When a DevGuard instance hosts one or more public assets, any authenticated user—regardless of organization, project membership, or role—can issue standard REST calls to create, update, reapply, or delete VEX rules, as well as submit dependency‑vuln events, license risk entries, external references, and artifact updates for those assets. Exploitation requires only a valid account on the DevGuard server; no additional privileges or network proximity are needed, and the attacker need only target the public‑read‑exempt endpoints. By abusing this weakness, an adversary can manipulate the integrity of the vulnerability picture presented to downstream consumers, marking real CVEs as false‑positives, silencing alerts, or erasing legitimate triage data, thereby undermining trust in the published vex.json or sbom.json and potentially violating compliance or security policies. The attack is contingent on the presence of public assets; private assets remain correctly gated, and the flaw does not affect assets that are not publicly exposed.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6p54-fw2f-q7gf