GHSA-F5C8-M5VW-RMGQ: Improper Authorization in almirhodzic/nova-toggle-5
Vulnerability ID: GHSA-F5C8-M5VW-RMGQ
CVSS Score: 7.1
Published: 2026-04-24
The almirhodzic/nova-toggle-5 package for Laravel Nova fails to properly enforce authorization checks on its API toggle endpoint. This allows any authenticated user to arbitrarily modify boolean fields on any database model exposed through the Nova administration panel, leading to severe broken access control and potential privilege escalation.
TL;DR
A broken access control vulnerability in a Laravel Nova toggle component allows standard authenticated users to bypass administrative policies and flip sensitive database boolean fields (like is_admin or is_active) via a poorly protected API endpoint.
Technical Details
- CWE ID: CWE-285
- Attack Vector: Network
- Impact: High Integrity Loss (Unauthorized Data Modification)
- Authentication Required: Yes (Standard User)
- Privileges Required: Low
- User Interaction: None
Affected Systems
- Laravel Nova
- almirhodzic/nova-toggle-5
-
almirhodzic/nova-toggle-5: < 1.3.0 (Fixed in:
1.3.0)
Mitigation Strategies
- Upgrade the affected package to the patched version.
- Audit and enforce robust Laravel resource policies (specifically the
updatemethod) for all Nova resources. - Review application architecture to ensure administrative endpoints are isolated and protected by strict gate checks.
Remediation Steps:
- Run
composer update almirhodzic/nova-toggle-5to pull version 1.3.0 or higher. - Commit the updated
composer.lockfile. - Deploy the application and clear route/config caches.
- Review historical server logs for unauthorized POST requests to
/nova-vendor/nova-toggle-5/toggle.
References
Read the full report for GHSA-F5C8-M5VW-RMGQ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)