CVE-2026-42205

Name of the Vulnerable Software and Affected Versions Avo versions prior to 3.31.2

Description A broken access control issue exists in the ActionsController due to insecure action lookup logic in the action class() function. An authenticated user can execute any Action class that descends from Avo::BaseAction on any resource, regardless of whether the action is registered for that specific resource. This occurs because the controller identifies the action class solely based on the action id parameter without verifying if the action is permitted for the resource context. This can lead to privilege escalation and unauthorized data manipulation, such as executing administrative actions through unrelated resource endpoints.

Recommendations Update to version 3.31.2.