CVE-2026-53634 MEDIUM

CVE-2026-53634: Sharp: Missing Authorization Check in Quick Creation Command Endpoints

Vendor Code16
Product sharp
Weakness CWE-862 · Missing authorization
Published June 10, 2026
Last update June 11, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 11, 2026 Record updated

Related vulnerabilities

04Related CVE