Description
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.

The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.

This issue affects oban_web: from 2.12.0 before 2.12.5.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-389x-rgxr-8m33 oban_web missing authorization check on `save-job` event handler
History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Oban-bg
Oban-bg oban Web
Vendors & Products Oban-bg
Oban-bg oban Web

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5.
Title Missing authorization check on save-job event handler in oban_web
First Time appeared Oban Web Project
Oban Web Project oban Web
Weaknesses CWE-862
CPEs cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*
Vendors & Products Oban Web Project
Oban Web Project oban Web
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Oban-bg Oban Web
Oban Web Project Oban Web
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:23.434Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48592

cve-icon Vulnrichment

Updated: 2026-05-26T20:46:47.428Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T21:16:41.707

Modified: 2026-06-17T10:55:08.243

Link: CVE-2026-48592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:38Z

Weaknesses