Laravel Nova Toggle, Authorization Bypass, Medium

Listen to this Post

How the mentioned CVE works (around 20 lines):

The vulnerability exists in nova-toggle package versions before 1.3.0. The toggle endpoint at `POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}` was protected only by the `web` + `auth:` middleware. This means any user authenticated against the configured guard—regardless of whether they have access to Nova’s admin panel—could call this endpoint. For example, frontend customers sharing the same `web` guard as the Nova admin area could issue requests. The endpoint accepted an arbitrary `attribute` parameter, allowing an attacker to toggle any boolean column on the underlying Eloquent model, not just fields exposed as `Toggle` on the Nova resource. This includes sensitive flags like is_admin, is_active, is_verified, or is_locked. Because the route lacked Nova’s internal authorization checks, a low-privileged user could flip administrative flags. The controller did not enforce the resource’s `authorizedToUpdate` policy nor validate that the attribute was a declared `Toggle` field. As a result, an authenticated attacker could escalate privileges, disable security features, or manipulate business-critical boolean fields. The issue is an authorization bypass leading to unauthorized data modification. The CVSS vector would likely be medium-to-high due to low complexity and partial integrity impact, but confidentiality remains unaffected.

dailycve form:

Platform: Laravel Nova
Version: <1.3.0
Vulnerability: Auth bypass toggle
Severity: Medium
date: 2023 (disclosed)

Prediction: Already patched (1.3.0)

What Undercode Say:

Check if vulnerable endpoint exists
curl -X POST https://target.com/nova-vendor/nova-toggle/toggle/users/1 \
-H "Cookie: laravel_session=..." \
-d "attribute=is_admin" -d "value=1"
Scan for boolean columns in target model
php artisan tinker --execute="dd((new App\Models\User)->getConnection()->getSchemaBuilder()->getColumnListing('users'))"
Monitor access logs for /nova-vendor/nova-toggle/toggle/
grep "POST /nova-vendor/nova-toggle/toggle" /var/log/nginx/access.log

Exploit:

Authenticate as any valid user (e.g., frontend customer). Send POST request to `/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}` with parameters `attribute=is_admin` and value=1. If the target model has a boolean `is_admin` column, the attacker toggles it to true, gaining admin privileges.

Protection from this CVE:

Update to nova-toggle 1.3.0 or higher. Alternatively, block the route via custom middleware that enforces `viewNova` gate:

Route::post('/nova-vendor/nova-toggle/toggle/')->middleware('can:viewNova');

Impact:

Any authenticated user (including customers) can flip arbitrary boolean fields on any Nova-managed model. This leads to privilege escalation, bypass of feature flags, and integrity loss of critical model states.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top