PT-2026-36862 · Packagist · Almirhodzic/Nova-Toggle-5

Publicado

2026-04-24

·

Atualizado

2026-04-24

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact

In versions < 1.3.0, the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area).
The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource.

Patches

Fixed in 1.3.0:
  • The route is now protected by Nova's nova:api middleware, which enforces the viewNova gate.
  • The controller now checks the resource's authorizedToUpdate policy.
  • The controller only accepts attributes that are declared as a Toggle field on the resource and are not readonly in the current request context.

Workarounds

Users who cannot upgrade immediately can either remove the package or restrict access to the /nova-vendor/nova-toggle/toggle/* routes via an additional middleware in their application that enforces the viewNova gate.

Credits

nova-toggle-5 thanks Roberto Negro for the responsible disclosure.

Correção

Improper Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-285

Identificadores relacionados

GHSA-F5C8-M5VW-RMGQ

Produtos afetados

Almirhodzic/Nova-Toggle-5