PT-2026-36866 · Rubygems · Avo

Published

2026-04-24

·

Updated

2026-04-24

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework (v3.x). Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application.

Details

The vulnerability exists in the action class method within app/controllers/avo/actions controller.rb.

Vulnerable Code

ruby
def action class
 # It searches through ALL descendants of BaseAction without resource validation
 Avo::BaseAction.descendants.find do |action|
  action.to s == params[:action id]
 end
end
The controller identifies the action class to execute solely based on the params[:action id] by searching through all BaseAction descendants. It fails to verify whether the requested action is actually permitted or registered for the resource context specified in the request URL (e.g., /admin/resources/posts/actions).
Consequently, an attacker can invoke sensitive actions (e.g., Avo::Actions::ToggleAdmin) through an unrelated resource endpoint (e.g., Post), bypassing the intended resource-action mapping.

Impact

This flaw results in significant security risks:
  • Privilege Escalation: An authenticated user with low privileges can execute administrative actions (like toggling admin roles) to escalate their own or others' permissions.
  • Unauthorized Operations: Actions designed for restricted resources can be triggered against any record ID in the database.
  • Data Integrity Compromise: Attackers can perform unauthorized destructive operations (e.g., Delete, Archive, or Update) on records they should not have access to.

Proof of Concept (PoC)

Steps to Reproduce:
  1. Log in to the Avo admin panel with limited permissions.
  2. Identify a target record ID (e.g., User ID: 1) and a sensitive action class (e.g., Avo::Actions::ToggleAdmin).
  3. Send a POST request to a resource endpoint where the target action is not registered:
  • URL: POST /admin/resources/posts/actions
  • Payload: action id=Avo::Actions::ToggleAdmin&fields[avo resource ids]=1
  1. The server executes the ToggleAdmin logic on User 1, even though the request was made through the posts resource context.
PoC Script Snippet:
python
# Simulating the unauthorized action execution
data = {
  'action id': 'Avo::Actions::ToggleAdmin',
  'fields[avo resource ids]': '1', # Target Record ID
  'authenticity token': csrf token
}
response = session.post(f"{BASE URL}/admin/resources/posts/actions", data=data)

Remediation

Restrict the action lookup to only those actions explicitly registered for the current resource context:
ruby
def action class
 # Validate that the action is registered for the current resource
 @resource.get actions.find do |action|
  action.to s == params[:action id]
 end
end

Discoverer

Illunight

Exploit

Fix

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

GHSA-QC5P-3MG5-9FH8

Affected Products

Avo