CVE-2026-42202— nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

授权机制不恰当

Laravel Nova 5 Toggle Field 授权问题漏洞

Laravel Nova 5 Toggle Field是Almir Hodzic个人开发者的一个Laravel Nova 5的布尔值快速切换字段工具。 Laravel Nova 5 Toggle Field 1.3.0之前版本存在授权问题漏洞，该漏洞源于切换端点仅受web和auth中间件保护，任何在配置守卫上认证的用户均可调用端点翻转任何Nova资源的布尔属性，包括无权访问Nova本身的用户，且端点接受任意属性参数，可能导致有效调用者切换底层模型的任何布尔列。

N/A

N/A