Oban Web · Oban Web · CVE-2026-48592
**Name of the Vulnerable Software and Affected Versions**
oban web versions 2.12.0 through 2.12.4
**Description**
A missing authorization issue in the `Elixir.Oban.Web.Jobs.DetailComponent` module allows unauthorized job worker substitution. The `handle event("save-job", ...)` handler fails to perform authorization checks, whereas other handlers like cancel, delete, and retry verify privileges using `can?/2`. An authenticated user with `:read only` access can send a forged `save-job` LiveView WebSocket event to overwrite a job's worker field with any other existing `Oban.Worker` module in the application. Consequently, during the next execution attempt, Oban will invoke the `perform/1` function on the module chosen by the attacker instead of the intended one. This occurs when the Oban.Web dashboard is deployed and accessible to users with limited job-management privileges.
**Recommendations**
Update to version 2.12.5.