CVE-2026-53901: Cerebrate Mass Assignment Vulnerability

CVE-2026-53901 Overview

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. The issue is tracked under [CWE-20] (Improper Input Validation) and was fixed in v1.37.

Critical Impact

Authenticated attackers can create objects with attacker-chosen identifiers, enabling object spoofing, identifier collisions, and unauthorized data manipulation across affected models.

Affected Products

• Cerebrate versions prior to 1.37
• Deployments exposing the generic CRUD add() endpoints
• Models relying on server-controlled identifier assignment

Discovery Timeline

• 2026-06-11 - CVE-2026-53901 published to NVD
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-53901

Vulnerability Analysis

The flaw resides in the CRUDComponent::add() method in src/Controller/Component/CRUDComponent.php. The handler unset the id key on the raw $params array, then passed $params through __massageInput() to produce the $input array used for entity patching. The normalization step could reintroduce or preserve an id value that the initial sanitization failed to remove.

Because the cleaned variable and the patched variable diverged, the entity created from $input could carry an attacker-supplied primary key. This is a classic mass-assignment pattern where input filtering happens on the wrong object in the data pipeline.

Root Cause

The root cause is an ordering defect between input sanitization and input normalization. The code stripped id from $params before calling __massageInput($params), but the function returned an $input structure that could still hold the id field. The accessible fields list passed to the entity included identifiers, so Cake ORM patched the controlled primary key directly into the new record.

Attack Vector

A network-reachable user with permission to invoke an affected add endpoint submits a request body containing an id field. Cerebrate processes the request, the identifier survives normalization, and the new entity is persisted with the attacker-chosen primary key. Consequences include reference collisions, spoofing of objects expected to be server-generated, and downstream integrity issues across linked models.

                'associated' => [],
                'accessibleFields' => $data->getAccessibleFieldForNew(),
            ];
-            if (!empty($params['id'])) {
-                unset($params['id']);
-            }
            $input = $this->__massageInput($params);
+            if (!empty($input['id'])) {
+                unset($input['id']);
+            }
            if (!empty($params['fields'])) {
                $patchEntityParams['fields'] = $params['fields'];
            }

Source: Cerebrate commit aff1ca7. The patch moves the unset to operate on the post-__massageInput()$input array, ensuring the identifier cannot reach patchEntity().

Detection Methods for CVE-2026-53901

Indicators of Compromise

• HTTP POST or PUT requests to Cerebrate add endpoints whose JSON or form body contains an id field.
• Database records on integer-keyed tables with non-sequential primary keys that do not match the auto-increment progression.
• Audit log entries showing newly created entities whose id matches values supplied in the originating request payload.

Detection Strategies

• Inspect web server and application logs for add requests carrying an id parameter, then correlate with the resulting database insert.
• Compare current AUTO_INCREMENT counters against the maximum primary key in each Cerebrate table to surface records inserted with out-of-band identifiers.
• Review reverse proxy or WAF logs for repeated POSTs against /individuals/add, /organisations/add, and similar CRUD routes containing identifier fields.

Monitoring Recommendations

• Alert on Cerebrate application errors involving primary-key collisions during inserts.
• Track authentication events for accounts that subsequently issue add requests with structured id payloads.
• Forward Cerebrate access logs to a centralized log platform and build queries for body fields containing "id": against add endpoints.

How to Mitigate CVE-2026-53901

Immediate Actions Required

• Upgrade Cerebrate to version 1.37 or later, which relocates the unset to the normalized $input array.
• Audit existing records for unexpected primary keys and reconcile any inconsistent references between linked models.
• Restrict access to CRUD add endpoints to least-privileged roles until the upgrade is deployed.

Patch Information

The fix is committed in Cerebrate commit aff1ca7 and released in Cerebrate v1.37. The patch removes id from $input after __massageInput() runs, closing the normalization gap before patchEntity() is invoked.

Workarounds

• Apply an upstream reverse proxy rule that strips the id field from request bodies targeting Cerebrate add endpoints.
• Temporarily disable or gate access to generic CRUD add routes for non-administrative roles.
• Backport the commit diff to the deployed branch if an immediate version upgrade is not feasible.

# Verify the installed Cerebrate version
cd /var/www/cerebrate
git describe --tags

# Upgrade to the patched release
git fetch --tags
git checkout v1.37
sudo systemctl restart php-fpm nginx