RubySec

Providing security resources for the Ruby community

CVE-2026-53769 (avo): Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy

Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy

Published: June 02, 2026

SECURITY IDENTIFIERS

GEM

avo

SEVERITY

CVSS v3.x: 6.5 (Medium)

UNAFFECTED VERSIONS

< 2.28.0

PATCHED VERSIONS

~> 3.32.0 >= 4.0.0.beta.41

DESCRIPTION

Summary

Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as upload_{FIELD_ID}?.

An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including binary content, filename, and content-type metadata, on a resolved record even when both update? and upload_<field>? policies deny the operation.

This primarily affects multi-role Avo Pro/Advanced-style deployments where non-administrator or restricted operator users can reach Avo and per-record or per-field operations are expected to be enforced by policies.

RELATED