PT-2026-36862 — Improper Authorization in Packagist Almirhodzic/Nova-Toggle-5

PT-2026-36862 · Packagist · Almirhodzic/Nova-Toggle-5

Published

2026-04-24

Updated

2026-04-24

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact

In versions < 1.3.0, the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area).

The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource.

Patches

Fixed in 1.3.0:

The route is now protected by Nova's nova:api middleware, which enforces the viewNova gate.
The controller now checks the resource's authorizedToUpdate policy.
The controller only accepts attributes that are declared as a Toggle field on the resource and are not readonly in the current request context.

Workarounds

Users who cannot upgrade immediately can either remove the package or restrict access to the /nova-vendor/nova-toggle/toggle/* routes via an additional middleware in their application that enforces the viewNova gate.

Credits

nova-toggle-5 thanks Roberto Negro for the responsible disclosure.

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

GHSA-F5C8-M5VW-RMGQ

Affected Products

Almirhodzic/Nova-Toggle-5