CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller
Vulnerability ID: CVE-2026-53634
CVSS Score: 4.3
Published: 2026-07-08
Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.
TL;DR
An authenticated but unauthorized user can bypass Laravel authorization checks to retrieve configuration forms and submit records via Code16 Sharp's Quick Creation Command feature.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network (AV:N)
- CVSS Base Score: 4.3 (Medium)
- EPSS Score: 0.00213
- Impact: Low Integrity Impact (Privilege Escalation)
- Exploit Status: Proof of Concept and patch details available, no active exploitation in the wild
- KEV Status: Not Listed
Affected Systems
- Code16 Sharp
-
Code16 Sharp: >= 9.0.0, < 9.22.3 (Fixed in:
9.22.3)
Code Analysis
Commit: aa18a85
Add authorization check to ApiEntityListQuickCreationCommandController
Mitigation Strategies
- Upgrade Code16 Sharp package dependencies to version 9.22.3 or higher.
- Review permission mapping policies for all models linked with Quick Creation Command features.
Remediation Steps:
- Analyze the current installed version of the package in composer.json.
- Run 'composer update code16/sharp' inside your production deployment pipeline.
- Execute automated integration tests with simulated low-privilege sessions to confirm 403 response behaviors.
References
- NVD - CVE-2026-53634 Detail
- GitHub Security Advisory - GHSA-vmwx-m75v-qvch
- GitHub Pull Request 729
- Fix Commit aa18a85fd8fef830988a336cad2278986729d21a
Read the full report for CVE-2026-53634 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)