CVE-2026-48067: filament auth bypass

CISO Take

CVE-2026-48067 is an authorization bypass in Filament (filament/actions and filament/tables), the widely-used Laravel admin panel framework, where the server-side validation on AttachAction and AssociateAction Select fields does not enforce the same record scope defined by recordSelectOptionsQuery(). An authenticated low-privilege user can intercept and tamper with Livewire component state to submit arbitrary out-of-scope record IDs, forcing unauthorized data associations on the backend. EPSS data is unavailable and no active exploitation has been observed, but the low attack complexity (CVSS AC:L, PR:L, UI:N) means any authenticated user can trivially exploit this without specialized tooling — Filament admin panels exposed to broader user populations are at elevated risk. Upgrade to filament/actions 4.11.4 or 5.6.4 and filament/tables 3.3.51 immediately; if patching is not immediate, restrict AttachAction and AssociateAction endpoints to trusted roles only via Filament's built-in policy authorization gates.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity with a realistic exploitation path. The integrity-only impact (CVSS I:H, C:N, A:N) limits blast radius to unauthorized record associations rather than data exfiltration or system compromise. Exploitability is high given AC:L and PR:L — any authenticated user in the application can manipulate Livewire state through standard browser tooling or Burp Suite. Risk is amplified in AI/ML management platforms where Filament backs model registries, dataset management interfaces, or training job associations, since unauthorized linkages could corrupt data lineage or trigger unauthorized model retraining pipelines. No public exploit code or active KEV listing reduces immediate urgency, but the simplicity of exploitation makes it a near-term patch priority.

How does the attack unfold?

Initial Access

Attacker authenticates to the Filament admin panel with a valid low-privilege account (e.g., analyst or contributor role).

AML.T0012

Reconnaissance

Attacker identifies AttachAction or AssociateAction endpoints using Livewire and notes the record IDs returned by the scoped Select field dropdown.

AML.T0049

Exploitation

Attacker intercepts the Livewire state update request and substitutes an out-of-scope record ID that bypasses the recordSelectOptionsQuery() scope since server-side validation does not enforce it.

AML.T0049

Impact

Unauthorized record association is persisted to the database, corrupting data lineage, bypassing team-level data segregation, or linking restricted AI artifacts to attacker-controlled resources.

Initial Access

Attacker authenticates to the Filament admin panel with a valid low-privilege account (e.g., analyst or contributor role).

AML.T0012

Reconnaissance

Attacker identifies AttachAction or AssociateAction endpoints using Livewire and notes the record IDs returned by the scoped Select field dropdown.

AML.T0049

Exploitation

Attacker intercepts the Livewire state update request and substitutes an out-of-scope record ID that bypasses the recordSelectOptionsQuery() scope since server-side validation does not enforce it.

AML.T0049

Impact

Unauthorized record association is persisted to the database, corrupting data lineage, bypassing team-level data segregation, or linking restricted AI artifacts to attacker-controlled resources.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
filament	—	—	No patch

Do you use filament? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A None

What should I do?

5 steps

Patch immediately: upgrade filament/actions to >=4.11.4 or >=5.6.4 (branch-dependent) and filament/tables to >=3.3.51. Run composer update filament/actions filament/tables and verify installed versions.
If patching is blocked, add explicit policy-level authorization in each AttachAction/AssociateAction using Filament's authorize() callback to re-validate submitted record IDs server-side against the intended scope.
Audit all Filament actions in your codebase that use recordSelectOptionsQuery() to identify custom scopes that may be similarly unvalidated in application-layer code.
For detection: review application logs for POST requests to Livewire update endpoints where the submitted record ID differs from the set of IDs that would have been returned by the scoped query — anomalous record IDs are the fingerprint of this attack.
Restrict Filament admin access to dedicated internal networks or VPN where possible to reduce attack surface.

How is it classified?

Auth Bypass Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system for high-risk AI

ISO 42001

A.6.2.4 - Access control for AI system resources

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

Frequently Asked Questions

What is CVE-2026-48067?

CVE-2026-48067 is an authorization bypass in Filament (filament/actions and filament/tables), the widely-used Laravel admin panel framework, where the server-side validation on AttachAction and AssociateAction Select fields does not enforce the same record scope defined by recordSelectOptionsQuery(). An authenticated low-privilege user can intercept and tamper with Livewire component state to submit arbitrary out-of-scope record IDs, forcing unauthorized data associations on the backend. EPSS data is unavailable and no active exploitation has been observed, but the low attack complexity (CVSS AC:L, PR:L, UI:N) means any authenticated user can trivially exploit this without specialized tooling — Filament admin panels exposed to broader user populations are at elevated risk. Upgrade to filament/actions 4.11.4 or 5.6.4 and filament/tables 3.3.51 immediately; if patching is not immediate, restrict AttachAction and AssociateAction endpoints to trusted roles only via Filament's built-in policy authorization gates.

Is CVE-2026-48067 actively exploited?

No confirmed active exploitation of CVE-2026-48067 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48067?

1. Patch immediately: upgrade filament/actions to >=4.11.4 or >=5.6.4 (branch-dependent) and filament/tables to >=3.3.51. Run `composer update filament/actions filament/tables` and verify installed versions. 2. If patching is blocked, add explicit policy-level authorization in each AttachAction/AssociateAction using Filament's `authorize()` callback to re-validate submitted record IDs server-side against the intended scope. 3. Audit all Filament actions in your codebase that use recordSelectOptionsQuery() to identify custom scopes that may be similarly unvalidated in application-layer code. 4. For detection: review application logs for POST requests to Livewire update endpoints where the submitted record ID differs from the set of IDs that would have been returned by the scoped query — anomalous record IDs are the fingerprint of this attack. 5. Restrict Filament admin access to dedicated internal networks or VPN where possible to reduce attack surface.

What systems are affected by CVE-2026-48067?

This vulnerability affects the following AI/ML architecture patterns: ML model management dashboards, training pipelines, dataset management interfaces, MLOps admin panels.

What is the CVSS score for CVE-2026-48067?

CVE-2026-48067 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

ML model management dashboardstraining pipelinesdataset management interfacesMLOps admin panels

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.4

NIST AI RMF: GOVERN 1.2, MANAGE 2.2

What are the technical details?

Original Advisory

Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.

Exploitation Scenario

An attacker with a low-privilege researcher account on an AI platform's Filament-based admin panel identifies an AssociateAction that allows them to link datasets to their own experiments. The recordSelectOptionsQuery() scopes the dropdown to datasets within their team. Using browser DevTools or Burp Suite, the attacker intercepts the Livewire component state update request and replaces the submitted dataset ID with the ID of a restricted proprietary dataset belonging to another team. Because the server-side validation rule does not apply the same recordSelectOptionsQuery() scope, the association is accepted. The attacker's experiment is now linked to the restricted dataset, granting indirect access to its contents through the experiment's downstream processing pipeline — bypassing all team-level data segregation controls without triggering authentication alerts.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.