Avo Authorization Bypass Flaw CVE-2026-55518 (CVSS 9.6)

At a glance

CVE	CVE-2026-55518
CVSS	9.6 (Critical)
Product / vendor	Avo admin panel framework / Avo HQ
Affected versions	≤ 3.32.0; 4.0.0-beta.1 to 4.0.0-beta.50
Impact	Privilege escalation, cross-tenant data exposure
Exploitation status	PoC in advisory; no in-the-wild activity reported
Fixed in	3.32.1 and 4.0.0-beta.51
Recommended action	Upgrade immediately

TL;DR

Avo HQ patched a critical Avo authorization bypass in its Rails admin framework on June 17, 2026. The flaw, CVE-2026-55518, lets a low-privileged user attach related records they should not control. As a result, attackers can escalate privileges or expose tenant data.

Why it matters

Avo powers admin panels, dashboards, and internal tools for many Ruby on Rails teams. These apps often model teams, tenants, roles, and memberships as associations. An attacker who attaches arbitrary records can therefore cross tenant boundaries. The GitHub advisory scores the issue 9.6, near the top of the severity scale. Any production app exposing Avo to non-admin users is at real risk.

How the attack works

Avo checks the attach permission only on the form path, the GET /new route. The matching write endpoint, a POST to the association route, skips that check. A low-privileged but authenticated user can send a crafted POST directly. The server then writes the relationship, even when the policy denies it. Consequently, hidden or disabled UI buttons offer no protection. The bypass maps to CWE-862 (Missing Authorization) and CWE-639.

Affected versions

Every Avo release up to and including 3.32.0 is vulnerable. The 4.0 beta line is affected from 4.0.0-beta.1 through 4.0.0-beta.50.

Patch and mitigation

Avo HQ fixed the bug in the v3.32.1 release and in 4.0.0-beta.51. Upgrade without delay. After patching, enforce attach authorization on the create action, not just the form. Also add regression tests that POST directly to association routes while the attach policy returns false. No in-the-wild exploitation has been reported. Still, the advisory includes a working proof-of-concept, so treat this Avo authorization bypass as urgent.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.