CVE Catalog

CVE-2026-57954

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

Vulnerability in Elide through version 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Risk Assessment

The organization is at risk of sensitive data leakage, as an attacker can infer relative values of fields that should be hidden, potentially leading to privacy breaches or privilege escalation.

Recommendation

Immediately upgrade Elide to version 7.1.18 or later, which includes a fix enforcing @ReadPermission on sort expressions.

Original NVD description (English source)

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS