CVE-2026-49858: CWE-524: Use of Cache Containing Sensitive Information in api-platform core
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
AI Analysis
Technical Summary
The vulnerability in API Platform Core arises from the use of a cache keyed by $context['cache_key'] in the JSON:API and HAL item normalizers without verifying that the cache key is safe for cross-user reuse. The security predicate #[ApiProperty(security: ...)] is evaluated per request to determine property exposure, but the cached component structure (attributes, relationships, links) can be reused for subsequent requests with different user privileges. This leads to a cross-user attribute leak where a lower-privileged user may see properties intended to be hidden. The flaw is identified as CWE-524 (Use of Cache Containing Sensitive Information) and CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability affects versions from 2.6.0 up to but not including 4.1.29, 4.2.26, and 4.3.12, where it has been fixed.
Potential Impact
An attacker with lower privileges can gain unauthorized visibility into sensitive attributes of API responses that should be restricted, due to improper caching of normalized item structures. This results in a confidentiality breach without affecting integrity or availability. The CVSS score of 5.9 reflects a medium severity impact with network attack vector, high complexity, no privileges required, no user interaction, and high confidentiality impact.
Mitigation Recommendations
The vulnerability has been fixed in API Platform Core versions 4.1.29, 4.2.26, and 4.3.12. Users should upgrade to one of these fixed versions to remediate the issue. No vendor advisory or patch links were provided, so verify the fix availability from the official API Platform project resources. Until upgraded, be aware of potential sensitive data exposure due to caching behavior in JSON:API and HAL item normalizers.
CVE-2026-49858: CWE-524: Use of Cache Containing Sensitive Information in api-platform core
Description
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.
CVSS v3.1
Score 5.9medium
Affected software
pkg:composer/api-platform/coreRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in API Platform Core arises from the use of a cache keyed by $context['cache_key'] in the JSON:API and HAL item normalizers without verifying that the cache key is safe for cross-user reuse. The security predicate #[ApiProperty(security: ...)] is evaluated per request to determine property exposure, but the cached component structure (attributes, relationships, links) can be reused for subsequent requests with different user privileges. This leads to a cross-user attribute leak where a lower-privileged user may see properties intended to be hidden. The flaw is identified as CWE-524 (Use of Cache Containing Sensitive Information) and CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability affects versions from 2.6.0 up to but not including 4.1.29, 4.2.26, and 4.3.12, where it has been fixed.
Potential Impact
An attacker with lower privileges can gain unauthorized visibility into sensitive attributes of API responses that should be restricted, due to improper caching of normalized item structures. This results in a confidentiality breach without affecting integrity or availability. The CVSS score of 5.9 reflects a medium severity impact with network attack vector, high complexity, no privileges required, no user interaction, and high confidentiality impact.
Mitigation Recommendations
The vulnerability has been fixed in API Platform Core versions 4.1.29, 4.2.26, and 4.3.12. Users should upgrade to one of these fixed versions to remediate the issue. No vendor advisory or patch links were provided, so verify the fix availability from the official API Platform project resources. Until upgraded, be aware of potential sensitive data exposure due to caching behavior in JSON:API and HAL item normalizers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-01T22:03:19.640Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a456fd127e9c79719097e63
Added to database: 07/01/2026, 19:51:45 UTC
Last enriched: 07/01/2026, 20:06:51 UTC
Last updated: 07/02/2026, 03:25:19 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.