Incorrect Authorization Affecting @cedar-policy/authorization-for-expressjs package, versions <0.3.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-CEDARPOLICYAUTHORIZATIONFOREXPRESSJS-17816997
  • published4 Jul 2026
  • disclosed30 Jun 2026
  • creditUnknown

Introduced: 30 Jun 2026

NewCVE-2026-49473  (opens in a new tab)
CWE-436  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade @cedar-policy/authorization-for-expressjs to version 0.3.0 or higher.

Overview

@cedar-policy/authorization-for-expressjs is a Middlewares to authorize expressJS applications with Cedar

Affected versions of this package are vulnerable to Incorrect Authorization through improper matching of incoming requests using req.originalUrl. An attacker can gain unauthorized access to restricted endpoints by manipulating the query string to bypass intended authorization checks.

Workaround

This vulnerability can be mitigated by validating and sanitizing incoming request paths before they reach the authorization middleware, and by ensuring applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.

CVSS Base Scores

version 4.0
version 3.1