CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers
Vulnerability ID: CVE-2026-49858
CVSS Score: 5.9
Published: 2026-07-10
CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.
TL;DR
Unsafe in-memory caching in API Platform Core's JSON:API and HAL normalizers leaks sensitive properties across different user contexts when running under persistent PHP environments like FrankenPHP or RoadRunner.
Technical Details
- CWE ID: CWE-524
- Attack Vector: Network (AV:N)
- CVSS v3.1: 5.9 (Medium)
- EPSS Score: 0.00197
- Impact: High Confidentiality Exposure
- Exploit Status: None (No public exploit or PoC)
- KEV Status: Not Listed
Affected Systems
- API Platform Core
- api-platform/core
- api-platform/hal
- api-platform/json-api
-
api-platform/core: >= 4.1.0, < 4.1.29 (Fixed in:
4.1.29) -
api-platform/core: >= 4.2.0, < 4.2.26 (Fixed in:
4.2.26) -
api-platform/core: >= 4.3.0, < 4.3.12 (Fixed in:
4.3.12)
Code Analysis
Commit: 019fd90
fix(serializer): gate cache_key in JsonApi and Hal with isCacheKeySafe
diff --git a/src/JsonApi/Serializer/ItemNormalizer.php b/src/JsonApi/Serializer/ItemNormalizer.php
index a093a17..dfc4a17 100644
--- a/src/JsonApi/Serializer/ItemNormalizer.php
+++ b/src/JsonApi/Serializer/ItemNormalizer.php
@@ -34,3 +34,3 @@
if (!isset($context['cache_key'])) {
- $context['cache_key'] = $this->getCacheKey($format, $context);
+ $context['cache_key'] = $this->isCacheKeySafe($context) ? $this->getCacheKey($format, $context) : false;
}
Commit: 1bfd6ee
refactor(serializer): bump static analysis rules and optimize cache security key evaluation
diff --git a/src/Serializer/AbstractItemNormalizer.php b/src/Serializer/AbstractItemNormalizer.php
Mitigation Strategies
- Upgrade the API Platform Core package to version 4.1.29, 4.2.26, 4.3.12 or higher.
- Temporarily disable persistent application workers (FrankenPHP worker mode, Swoole, RoadRunner) and fallback to stateless PHP-FPM runtime environments.
- Decorate the SerializerContextBuilder to explicitly nullify the cache_key parameter during serialization of HAL and JSON:API formats.
Remediation Steps:
- Run 'composer update api-platform/core' to pull the latest security patch.
- Verify the installed version of API Platform Core using 'composer show api-platform/core'.
- Restart long-running persistent PHP worker processes to purge any compromised cache states from memory.
References
- GHSA-pjhx-3c3w-9v23 Security Advisory
- CVE-2026-49858 authoritative CVE Record
- NVD - CVE-2026-49858 Detailed Report
- Fix Git Commit for ItemNormalizers Cache Key Gating
Read the full report for CVE-2026-49858 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)