The vulnerability in oban_web (versions 2.12.0 up to but not including 2.12.5) arises from a missing authorization check in the save-job event handler within the 'Elixir.Oban.Web.Jobs.DetailComponent' module. Unlike other handlers that verify user privileges via can?/2, this handler allows an authenticated user with read-only access to submit a forged LiveView WebSocket event that overwrites the worker field of a job. This enables the user to cause the job to execute a different Oban.Worker module on its next run, effectively substituting the job worker without proper authorization.

An authenticated user with read-only access can manipulate job execution by substituting the worker module of a job. This could lead to unintended code execution within the application context, potentially impacting job processing integrity. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS score of 5.3 reflects a medium severity impact.

Patch status is not yet confirmed — no official fix or patch is currently documented. Users of oban_web versions 2.12.0 before 2.12.5 should monitor the vendor's advisory channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict access to authenticated users with read-only privileges and consider additional application-level controls to monitor or block unauthorized save-job events.