Back to overview

CVE-2026-54164

MEDIUM
6.5
CVSS 3.1
Description
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.

Metadata

CVE ID
CVE-2026-54164
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-11 21:46 UTC
Published
2026-07-01 19:14 UTC
Last updated
2026-07-01 19:14 UTC
Primary CWE
CWE-843
CWE-843: Access of Resource Using Incompatible Type ('Type C…
Vendor / Product
api-platform / core
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
api-platform core < 4.1.30, >= 4.2.0, < 4.2.26, >= 4.3.0, < 4.3.12
Weakness (CWE)
CWESourceDescription
CWE-843 cna CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References (1)
Back to overview