Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy
Published: June 02, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-53769 (NVD)
- GHSA: GHSA-pqpw-cvm4-8mv9
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
UNAFFECTED VERSIONS
< 2.28.0
PATCHED VERSIONS
~> 3.32.0
>= 4.0.0.beta.41
DESCRIPTION
Summary
Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as upload_{FIELD_ID}?.
An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including binary content, filename, and content-type metadata, on a resolved record even when both update? and upload_<field>? policies deny the operation.
This primarily affects multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies.
