CVE-2026-57954 | Elide through 7.1.17 fails to enforce @ReadPermission on cli… | CVSS 4.3 MEDIUM

Description

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Metadata

CVE ID: CVE-2026-57954
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:59 UTC
Published: 2026-06-29 17:21 UTC
Last updated: 2026-06-29 17:21 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: yahoo / elide
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
yahoo	elide	—	0 ≤ 7.1.17

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (2)

Researcher Disclosure https://github.com/yahoo/elide/issues/3415
https://www.vulncheck.com/advisories/elide-permission-bypass-in-sort-expression-validation