CVE-2026-42202: CWE-285: Improper Authorization in almirhodzic nova-toggle-5
nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.
AI Analysis
Technical Summary
The vulnerability in nova-toggle-5 (prior to version 1.3.0) involves insufficient authorization checks on the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}). Authentication was enforced via web + auth:<guard> middleware, but no further authorization restricted which users could toggle boolean attributes on Nova resources. Consequently, any authenticated user on the guard could toggle any boolean attribute on any resource, including sensitive ones, potentially affecting users without Nova access. The endpoint also accepted arbitrary attribute names, allowing toggling of any boolean column in the model, not just those intended for toggling. This issue was addressed and fixed in version 1.3.0.
Potential Impact
The vulnerability allows authenticated users with access to the configured guard to modify boolean attributes on any Nova resource without proper authorization. This can lead to unauthorized changes in application state or behavior, potentially impacting integrity. There is no direct confidentiality or availability impact reported. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade nova-toggle-5 to version 1.3.0 or later, where this improper authorization issue has been patched. Since this is not a cloud service, manual patching is required. Patch status is not explicitly stated beyond the fix in version 1.3.0, so verify with the vendor advisory for the latest remediation guidance.
CVE-2026-42202: CWE-285: Improper Authorization in almirhodzic nova-toggle-5
Description
nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nova-toggle-5 (prior to version 1.3.0) involves insufficient authorization checks on the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}). Authentication was enforced via web + auth:<guard> middleware, but no further authorization restricted which users could toggle boolean attributes on Nova resources. Consequently, any authenticated user on the guard could toggle any boolean attribute on any resource, including sensitive ones, potentially affecting users without Nova access. The endpoint also accepted arbitrary attribute names, allowing toggling of any boolean column in the model, not just those intended for toggling. This issue was addressed and fixed in version 1.3.0.
Potential Impact
The vulnerability allows authenticated users with access to the configured guard to modify boolean attributes on any Nova resource without proper authorization. This can lead to unauthorized changes in application state or behavior, potentially impacting integrity. There is no direct confidentiality or availability impact reported. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade nova-toggle-5 to version 1.3.0 or later, where this improper authorization issue has been patched. Since this is not a cloud service, manual patching is required. Patch status is not explicitly stated beyond the fix in version 1.3.0, so verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:04:37.027Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe575bcbff5d86102f6120
Added to database: 5/8/2026, 9:36:27 PM
Last enriched: 5/8/2026, 9:51:29 PM
Last updated: 5/9/2026, 1:59:22 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.