CVE-2026-42202 MEDIUM

CVE-2026-42202: nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

Vendor Almirhodzic
Product nova-toggle-5
Weakness CWE-285
Published May 8, 2026
Last update May 11, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 11, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation CVE-2025-4631 Profitori 2.0.6.0 - 2.1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via stocktend_object Endpoint CVE-2023-20182 Cisco DNA Center Software API Vulnerabilities CVE-2025-0849 CampCodes School Management Software Staff edit-staff improper authorization CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right