GHSA-f5c8-m9vw-rmqg: Improper Authorization in nova-toggle for Laravel Nova allowing unauthorized boolean field modification

Vulnerability Overview Title: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields Vulnerability ID: GHSA-f5c8-m9vw-rmqg Severity: Moderate (6.5 / 10) Reporter: Roberto Negro Publication Date: 3 weeks ago Fixed Version: 1.3.0 --- Impact Scope Affected Versions: Vulnerability Type: Improper Authorization Attack Vector: Network Attack Complexity: Low Required Privileges: Low User Interaction: None Scope: Unchanged Confidentiality Impact: None Integrity Impact: High Availability Impact: None --- Vulnerability Description In versions , the toggle endpoint at was protected only by the and middleware. Any authenticated user could call this endpoint and toggle boolean field attributes on Nova resources they had access to—including users who could not directly access Nova (such as frontend clients sharing the guard). Additionally, the endpoint accepts an arbitrary parameter, meaning valid callers could toggle any boolean column on the model, not just those exposed as fields on the resource. --- Fix Fixed Version: Fix Details: - The route is now protected by Nova's middleware, which enforces the permission. - The controller now checks the resource's policy. - The controller only accepts attributes declared as fields on the resource, excluding those not available in the current request context. --- Workaround For users who cannot upgrade immediately, the package can be removed or access to the routes can be restricted by adding additional middleware in the application to enforce the permission. --- References Fix: https://github.com/almirhodzic/nova-toggle/compare/vagyl1.3.0 CHANGELOG: https://github.com/almirhodzic/nova-toggle-5/blob/main/CHANGELOG.md --- Acknowledgments Thanks to Roberto Negro for reporting this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

GHSA-f5c8-m9vw-rmqg: Improper Authorization in nova-toggle for Laravel Nova allowing unauthorized boolean field modification

More from this source