CVE-2026-49858

CVE-2026-49858 is a medium-severity security vulnerability in api-platform/core (composer), affecting versions >= 2.6.0, < 4.1.29. It is fixed in 4.1.29, 4.2.25, 4.3.8.

Check whether CVE-2026-49858 affects your applications

Kodem tells you whether this CVE is present, reachable, and actually executing in your application, so you know if it matters.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence. Only the CVEs that actually run in production.

Summary

API Platform Core vulnerable to cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate

Full technical description

Exploitation conditions

Exploitation requires all of the following to coincide:

  • The application exposes a resource via the JSON:API and/or HAL formats.
  • At least one property of that resource uses #[ApiProperty(security: ...)] with a predicate whose result depends on the current user (or on per-request state).
  • A request from a user for whom the predicate evaluates to true populates componentsCache before a request from a user for whom the predicate evaluates to false, within the lifetime of the same PHP process.
  • The deployment uses a long-running PHP runtime that keeps the normalizer instance alive across requests (FrankenPHP worker mode, RoadRunner, Swoole, ReactPHP, etc.). With classic php-fpm workers the cache only survives the duration of a single request, which makes the issue much harder to observe in practice.

Workarounds

Override the JSON:API and HAL ItemNormalizer services to gate $context['cache_key'] with a resource-class security check, or avoid #[ApiProperty(security: ...)] on resources served as JSON:API or HAL until the patch is applied. Pinning the deployment to classic php-fpm workers also limits exposure since the cache does not survive across requests.

Credits

  • Tillmann Baumgart (@tillmon), originally identified the broader cache-key gap and proposed moving isCacheKeySafe to AbstractItemNormalizer.
  • Antoine Bluchet (@soyuka), extended the gate to JSON:API and HAL normalizers.

Impact

#[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\JsonApi\Serializer\ItemNormalizer and ApiPlatform\Hal\Serializer\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them.

This is the same vulnerability class as GHSA-428q-q3vv-3fq3 / CVE-2025-31485, which fixed only the GraphQL ItemNormalizer. The JSON:API and HAL paths were not addressed at the time.

CVE-2026-49858 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.1.29, 4.2.25, 4.3.8); upgrading removes the vulnerable code path.

Affected versions

api-platform/core (>= 2.6.0, < 4.1.29) api-platform/core (>= 4.2.0, < 4.2.25) api-platform/core (>= 4.3.0, < 4.3.8) api-platform/json-api (>= 4.0.0, < 4.1.29) api-platform/json-api (>= 4.2.0, < 4.2.25) api-platform/json-api (>= 4.3.0, < 4.3.8) api-platform/hal (>= 4.0.0, < 4.1.29) api-platform/hal (>= 4.2.0, < 4.2.25) api-platform/hal (>= 4.3.0, < 4.3.8)

Security releases

api-platform/core → 4.1.29 (composer) api-platform/core → 4.2.25 (composer) api-platform/core → 4.3.8 (composer) api-platform/json-api → 4.1.29 (composer) api-platform/json-api → 4.2.25 (composer) api-platform/json-api → 4.3.8 (composer) api-platform/hal → 4.1.29 (composer) api-platform/hal → 4.2.25 (composer) api-platform/hal → 4.3.8 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

  • 4.1.29
  • 4.2.25
  • 4.3.8

All three branches receive patched releases of api-platform/core, api-platform/json-api, and api-platform/hal.

Frequently Asked Questions

  1. What is CVE-2026-49858? CVE-2026-49858 is a medium-severity security vulnerability in api-platform/core (composer), affecting versions >= 2.6.0, < 4.1.29. It is fixed in 4.1.29, 4.2.25, 4.3.8.
  2. How severe is CVE-2026-49858? CVE-2026-49858 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-49858?
    • api-platform/core (composer) (versions >= 2.6.0, < 4.1.29)
    • api-platform/json-api (composer) (versions >= 4.0.0, < 4.1.29)
    • api-platform/hal (composer) (versions >= 4.0.0, < 4.1.29)
  4. Is there a fix for CVE-2026-49858? Yes. CVE-2026-49858 is fixed in 4.1.29, 4.2.25, 4.3.8. Upgrade to this version or later.
  5. Is CVE-2026-49858 exploitable, and should I be worried? Whether CVE-2026-49858 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-49858 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-49858?
    • Upgrade api-platform/core to 4.1.29 or later
    • Upgrade api-platform/core to 4.2.25 or later
    • Upgrade api-platform/core to 4.3.8 or later
    • Upgrade api-platform/json-api to 4.1.29 or later
    • Upgrade api-platform/json-api to 4.2.25 or later
    • Upgrade api-platform/json-api to 4.3.8 or later
    • Upgrade api-platform/hal to 4.1.29 or later
    • Upgrade api-platform/hal to 4.2.25 or later
    • Upgrade api-platform/hal to 4.3.8 or later

Other vulnerabilities in api-platform/core

Stop the waste.
Protect your environment with Kodem.