CVE-2026-48089
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
DevGuard prior to version 1.4.2 allows unauthorized modifications of VEX rules by authenticated users, including those from other organizations, on public assets. Users can create, update, reapply, and delete VEX rules and other related vulnerability events.
Risk Assessment
Organizations may be exposed to unauthorized changes in vulnerability management, potentially leading to incorrect security decisions and data breaches.
Recommendation
It is recommended to upgrade to version 1.4.2, which contains a patch. Alternatively, change the visibility of affected assets from public to private to restore proper authorization.
Original NVD description (English source)
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the other vulnerability-triage write endpoints exposed under a public asset, including VEX rule create / update / reapply / delete; dependency-vuln event creation (accept / reject / mitigate decisions), batch event creation, vuln sync, and mitigation; license risk creation; external reference writes; and/or artifact creation and license refresh. The attacker needs a valid account on the instance, but no membership in the victim organization, project, or asset is required. Version `v1.4.2`contains a patch. As a workaround, make affected assets non-public. In the asset settings, switch visibility from public to private. This removes the public-read exemption in the access-control middleware and restores correct authorization on all write endpoints for that asset. Downstream consumers that previously relied on the public `vex.json` / `sbom.json` endpoints will need to be granted explicit access or must receive an exported file version until the patched release is deployed.

