CVE-2026-48592

Name of the Vulnerable Software and Affected Versions oban web versions 2.12.0 through 2.12.4

Description A missing authorization issue in the Elixir.Oban.Web.Jobs.DetailComponent module allows unauthorized job worker substitution. The handle event("save-job", ...) handler fails to perform authorization checks, whereas other handlers like cancel, delete, and retry verify privileges using can?/2. An authenticated user with :read only access can send a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. Consequently, during the next execution attempt, Oban will invoke the perform/1 function on the module chosen by the attacker instead of the intended one. This occurs when the Oban.Web dashboard is deployed and accessible to users with limited job-management privileges.

Recommendations Update to version 2.12.5.