This page lists publicly disclosed CVE vulnerabilities affecting ash-project ash (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-55736 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 5.9 | 0.15% | 2026-06-23 | 2026-06-23 |
| CVE-2025-48044 | Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected], from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 8.6 | 0.81% | 2025-10-17 | 2026-06-17 |
| CVE-2025-48043 | Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/[email protected], before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 8.6 | 0.47% | 2025-10-10 | 2026-06-17 |
| CVE-2025-48042 | Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/[email protected], before 3.5. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 7.1 | 0.29% | 2025-09-07 | 2026-06-17 |