DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49858: CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

Vulnerability ID: CVE-2026-49858
CVSS Score: 5.9
Published: 2026-07-10

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

TL;DR

Unsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.


Technical Details

  • CWE ID: CWE-524
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 5.9 (Medium)
  • EPSS Score: 0.00197
  • Impact: High Confidentiality Exposure
  • Exploit Status: None (No public exploit or PoC)
  • KEV Status: Not Listed

Affected Systems

  • API Platform Core
  • api-platform/core
  • api-platform/hal
  • api-platform/json-api
  • api-platform/core: >= 4.1.0, < 4.1.29 (Fixed in: 4.1.29)
  • api-platform/core: >= 4.2.0, < 4.2.26 (Fixed in: 4.2.26)
  • api-platform/core: >= 4.3.0, < 4.3.12 (Fixed in: 4.3.12)

Code Analysis

Commit: 019fd90

fix(serializer): gate cache_key in JsonApi and Hal with isCacheKeySafe

diff --git a/src/JsonApi/Serializer/ItemNormalizer.php b/src/JsonApi/Serializer/ItemNormalizer.php
index a093a17..dfc4a17 100644
--- a/src/JsonApi/Serializer/ItemNormalizer.php
+++ b/src/JsonApi/Serializer/ItemNormalizer.php
@@ -34,3 +34,3 @@
         if (!isset($context['cache_key'])) {
-            $context['cache_key'] = $this->getCacheKey($format, $context);
+            $context['cache_key'] = $this->isCacheKeySafe($context) ? $this->getCacheKey($format, $context) : false;
         }
Enter fullscreen mode Exit fullscreen mode

Commit: 1bfd6ee

refactor(serializer): bump static analysis rules and optimize cache security key evaluation

diff --git a/src/Serializer/AbstractItemNormalizer.php b/src/Serializer/AbstractItemNormalizer.php
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.
  • Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.
  • Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.

Remediation Steps:

  1. Run 'composer update api-platform/core' to pull the latest security patch.
  2. Verify the installed version of API Platform Core using 'composer show api-platform/core'.
  3. Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.

References


Read the full report for CVE-2026-49858 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)