DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53634: CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Vulnerability ID: CVE-2026-53634
CVSS Score: 4.3
Published: 2026-07-08

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

TL;DR

An authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network (AV:N)
  • CVSS Base Score: 4.3 (Medium)
  • EPSS Score: 0.00213
  • Impact: Low Integrity Impact (Privilege Escalation)
  • Exploit Status: Proof of Concept and patch details available, no active exploitation in the wild
  • KEV Status: Not Listed

Affected Systems

  • Code16 Sharp
  • Code16 Sharp: >= 9.0.0, < 9.22.3 (Fixed in: 9.22.3)

Code Analysis

Commit: aa18a85

Add authorization check to ApiEntityListQuickCreationCommandController

Mitigation Strategies

  • Upgrade Code16 Sharp package dependencies to version 9.22.3 or higher.
  • Review permission mapping policies for all models linked with Quick Creation Command features.

Remediation Steps:

  1. Analyze the current installed version of the package in composer.json.
  2. Run 'composer update code16/sharp' inside your production deployment pipeline.
  3. Execute automated integration tests with simulated low-privilege sessions to confirm 403 response behaviors.

References


Read the full report for CVE-2026-53634 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)