The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.
This issue affects oban_web: from 2.12.0 before 2.12.5.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-389x-rgxr-8m33 | oban_web missing authorization check on `save-job` event handler |
Wed, 27 May 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Oban-bg
Oban-bg oban Web |
|
| Vendors & Products |
Oban-bg
Oban-bg oban Web |
Tue, 26 May 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 26 May 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5. | |
| Title | Missing authorization check on save-job event handler in oban_web | |
| First Time appeared |
Oban Web Project
Oban Web Project oban Web |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Oban Web Project
Oban Web Project oban Web |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-05-27T15:41:23.434Z
Reserved: 2026-05-22T09:36:56.834Z
Link: CVE-2026-48592
Updated: 2026-05-26T20:46:47.428Z
Status : Deferred
Published: 2026-05-26T21:16:41.707
Modified: 2026-06-17T10:55:08.243
Link: CVE-2026-48592
No data.
OpenCVE Enrichment
Updated: 2026-05-27T10:08:38Z
Github GHSA