CVE-2026-53911 Overview
Cerebrate before version 1.37 contains a mass-assignment vulnerability that allows authenticated attackers to modify arbitrary records within affected entity types. The flaw permits the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. When an entity does not explicitly mark id as inaccessible, an attacker can submit a crafted edit request containing the id of another record. The save operation then updates that unrelated record instead of the one identified by the route parameter. This issue is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Any authenticated user could exploit the UserSettings edit endpoint to modify unrelated records within affected entity types, including User, Role, LocalTool, and EnumerationCollection.
Affected Products
- Cerebrate versions prior to 1.37
- Entity types with permissive mass-assignment defaults: User, Role, UserSetting, LocalTool, PermissionLimitation, EnumerationCollection
- Any custom entity inheriting the base AppModel without explicit id accessibility restrictions
Discovery Timeline
- 2026-06-11 - CVE-2026-53911 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-53911
Vulnerability Analysis
The vulnerability stems from Cerebrate's failure to restrict the id primary key from being assigned through user-controlled request input during entity marshalling. In CakePHP-based applications such as Cerebrate, the marshalling process converts request data into entity objects before persistence. When the id field is not explicitly marked as inaccessible, an attacker can override the route parameter by including their own id value in the request body.
The affected entities inherit permissive mass-assignment defaults from the base AppModel entity. Because the UserSettings edit functionality is reachable by any authenticated user, the attack surface extends across the entire authenticated user base. The integrity impact depends on which fields are writable on the targeted endpoint, but consequences include unauthorized modification of user accounts, role assignments, and local tool configurations.
Root Cause
The root cause lies in CakePHP's entity accessibility model. Cerebrate's base AppModel entity did not globally restrict the id field, and individual entities did not override this behavior. During the patch operation, the marshaller treats id as an assignable field, causing the ORM to redirect the save operation to whichever record the attacker specifies.
Attack Vector
An authenticated attacker submits a POST or PATCH request to an affected edit endpoint such as /user_settings/edit/{own_id}. The request body contains an id parameter pointing to a different record within the same entity type. The marshalling layer accepts the injected id, and Cerebrate persists the changes against the attacker-chosen record. The attacker requires only valid authentication, not administrative privileges, to reach the UserSettings endpoint and pivot toward other writable entity fields.
No verified public exploit code is available. Technical details are documented in the Cerebrate GitHub commit reference.
Detection Methods for CVE-2026-53911
Indicators of Compromise
- HTTP requests to Cerebrate edit endpoints containing an id field in the request body that does not match the route parameter
- Unexpected modifications to User, Role, LocalTool, or EnumerationCollection records performed by non-administrative accounts
- Audit log entries showing record updates triggered through UserSettings or other low-privilege endpoints
Detection Strategies
- Inspect web server and application logs for PATCH and POST requests to Cerebrate /edit/ routes where the request payload contains an id parameter
- Correlate authentication identity against the user associated with the modified record to surface ownership mismatches
- Review database write events on affected entity tables for changes initiated outside expected administrative workflows
Monitoring Recommendations
- Enable application-level audit logging on all entity edit operations and forward to a centralized SIEM for retention and analysis
- Alert on any modification of Role or User records performed by accounts without administrative privileges
- Baseline normal UserSettings traffic and flag deviations such as unusually large request payloads or unexpected field values
How to Mitigate CVE-2026-53911
Immediate Actions Required
- Upgrade Cerebrate to version 1.37 or later, which strips id from request input after marshalling callbacks and globally marks id as inaccessible in the base AppModel entity
- Audit all user accounts, roles, and LocalTool configurations for unauthorized changes made before patching
- Rotate credentials for any user account whose record could have been modified during the exposure window
Patch Information
Cerebrate 1.37 resolves the vulnerability through two complementary changes. The fix strips the id field from request input after marshalling callbacks execute, and it globally marks id as inaccessible in the base AppModel entity. The patch is published in the official Cerebrate commit. Administrators should review the commit to confirm coverage for any custom entities deployed in their environment.
Workarounds
- Restrict access to Cerebrate edit endpoints behind an authenticating reverse proxy that strips or validates the id field in request bodies
- For custom entities, explicitly set id to inaccessible in the entity's $_accessible array until the upgrade can be applied
- Temporarily reduce the number of authenticated accounts with access to Cerebrate while the upgrade is staged
# Verify installed Cerebrate version and upgrade
cd /var/www/cerebrate
git fetch --all --tags
git checkout v1.37
php composer.phar install --no-dev
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
