CVE Catalog

CVE-2026-48089

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

DevGuard prior to version 1.4.2 allows unauthorized modifications of VEX rules by authenticated users, including those from other organizations, on public assets. Users can create, update, reapply, and delete VEX rules and other related vulnerability events.

Risk Assessment

Organizations may be exposed to unauthorized changes in vulnerability management, potentially leading to incorrect security decisions and data breaches.

Recommendation

It is recommended to upgrade to version 1.4.2, which contains a patch. Alternatively, change the visibility of affected assets from public to private to restore proper authorization.

Original NVD description (English source)

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS