CVE-2026-35173: CWE-639: Authorization Bypass Through User-Controlled Key in xenocrat chyrp-lite
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
AI Analysis
Technical Summary
Chyrp Lite versions before 2026.01 contain an authorization bypass vulnerability (CWE-639) due to an IDOR and mass assignment flaw in the Post model. Authenticated users with post editing rights can supply internal object properties, including post IDs, in the post_attributes payload. This allows them to instantiate and modify posts they do not own, bypassing intended permission checks. The issue enables unauthorized modification of other users' posts. The vulnerability is addressed in Chyrp Lite 2026.01.
Potential Impact
The vulnerability allows authenticated users with limited post editing permissions to escalate their privileges and modify posts they should not have access to. This results in unauthorized post takeover, impacting the integrity of content on affected Chyrp Lite installations. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in Chyrp Lite version 2026.01. Users should upgrade to version 2026.01 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 2026.01. No additional mitigation steps are indicated.
CVE-2026-35173: CWE-639: Authorization Bypass Through User-Controlled Key in xenocrat chyrp-lite
Description
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Draft) to modify posts they do not own and do not have permission to edit. By passing internal class properties such as id into the post_attributes payload, an attacker can alter the object being instantiated. As a result, further actions are performed on another user’s post rather than the attacker’s own post, effectively enabling post takeover. This vulnerability is fixed in 2026.01.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Chyrp Lite versions before 2026.01 contain an authorization bypass vulnerability (CWE-639) due to an IDOR and mass assignment flaw in the Post model. Authenticated users with post editing rights can supply internal object properties, including post IDs, in the post_attributes payload. This allows them to instantiate and modify posts they do not own, bypassing intended permission checks. The issue enables unauthorized modification of other users' posts. The vulnerability is addressed in Chyrp Lite 2026.01.
Potential Impact
The vulnerability allows authenticated users with limited post editing permissions to escalate their privileges and modify posts they should not have access to. This results in unauthorized post takeover, impacting the integrity of content on affected Chyrp Lite installations. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in Chyrp Lite version 2026.01. Users should upgrade to version 2026.01 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 2026.01. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T17:26:21.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3f8440a160ebd92cf699b
Added to database: 4/6/2026, 6:15:32 PM
Last enriched: 4/6/2026, 6:30:40 PM
Last updated: 4/6/2026, 8:37:05 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.