CVE-2026-57954
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Vulnerability in Elide through version 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
Risk Assessment
The organization is at risk of sensitive data leakage, as an attacker can infer relative values of fields that should be hidden, potentially leading to privacy breaches or privilege escalation.
Recommendation
Immediately upgrade Elide to version 7.1.18 or later, which includes a fix enforcing @ReadPermission on sort expressions.
Original NVD description (English source)
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

