nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
Moderate severity
GitHub Reviewed
Published
Apr 20, 2026
in
almirhodzic/nova-toggle-5
•
Updated May 13, 2026
Description
Published to the GitHub Advisory Database
Apr 24, 2026
Reviewed
Apr 24, 2026
Published by the National Vulnerability Database
May 8, 2026
Last updated
May 13, 2026
Impact
In versions
< 1.3.0, the toggle endpoint (POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only byweb+auth:<guard>middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself (for example, frontend customers sharing thewebguard with the Nova admin area).The endpoint also accepted an arbitrary
attributeparameter, which meant a valid caller could toggle any boolean column on the underlying model — not just columns exposed asTogglefields on the resource.Patches
Fixed in
1.3.0:nova:apimiddleware, which enforces theviewNovagate.authorizedToUpdatepolicy.Togglefield on the resource and are not readonly in the current request context.Workarounds
Users who cannot upgrade immediately can either remove the package or restrict access to the
/nova-vendor/nova-toggle/toggle/*routes via an additional middleware in their application that enforces theviewNovagate.Credits
nova-toggle-5 thanks Roberto Negro for the responsible disclosure.
References