Aggregates CVE and security vulnerability intelligence across all ash-project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk file inclusion, with potential vendor impact file overwrite and vendor impact unauthorized access across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-55736 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 5.9 | 0.15% | 2026-06-23 | 2026-06-25 |
| CVE-2025-48044 | Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected], from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 8.6 | 0.81% | 2025-10-17 | 2026-06-17 |
| CVE-2025-48043 | Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/[email protected], before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 8.6 | 0.47% | 2025-10-10 | 2026-06-17 |
| CVE-2025-48042 | Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/[email protected], before 3.5. | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | 7.1 | 0.29% | 2025-09-07 | 2026-06-17 |