Reused Component Instances Retain Stale Render Context
Published: June 04, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54497 (NVD)
- GHSA: GHSA-9h85-g7w3-rh49
GEM
SEVERITY
CVSS v3.x: 6.8 (Medium)
UNAFFECTED VERSIONS
< 4.0.0
PATCHED VERSIONS
>= 4.12.0
DESCRIPTION
Summary
ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.
This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.
