CVE-2026-45229

Cp0204 · quark-auto-save

The quark-auto-save package is vulnerable to mass assignment, allowing attackers to modify internal object attributes.

Executive summary

A critical mass assignment vulnerability in the quark-auto-save package allows authenticated attackers to modify restricted object attributes, potentially leading to full system compromise.

Vulnerability

The software is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915). This vulnerability requires the attacker to have low-level authenticated access (PR:L) to perform the exploitation.

Business impact

The ability to modify internal object attributes can lead to privilege escalation or unauthorized data manipulation, resulting in a total technical impact on the affected system. While the CVSS score of 8.8 reflects the high risk of total impact, the requirement for authentication reduces the immediate risk compared to unauthenticated exploits.

Remediation

Immediate Action: Update the quark-auto-save package to version 0.8.5 or later.

Proactive Monitoring: Review application logs for unexpected changes to user attributes or system configurations that deviate from expected operational behavior.

Compensating Controls: Implement strict input validation at the application layer to ensure that only expected fields are processed during object updates, effectively mitigating mass assignment risks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations utilizing the quark-auto-save package must prioritize the update to version 0.8.5 to prevent unauthorized attribute modification. Immediate patching is recommended to maintain the integrity of the application environment.