Missing Authorization Affecting silverstripe/framework package, versions <3.1.17-rc2>=3.2.0-beta1, <3.2.2>3.3.0-beta1, <3.3.0-rc3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-SILVERSTRIPEFRAMEWORK-17400359
- published22 Jun 2026
- disclosed19 Jun 2026
- creditMatt Peel, Robby Ahn
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-862 (opens in a new tab)How to fix?
Upgrade silverstripe/framework to version 3.1.17-rc2, 3.2.2, 3.3.0-rc3 or higher.
Overview
silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.
Affected versions of this package are vulnerable to Missing Authorization via the buildDefaults action in DevelopmentAdmin. An attacker can perform unauthorized database modifications and obtain information about the application's schema by accessing /dev/build/defaults without authentication. Because buildDefaults() does not enforce the same permission checks as /dev/build, unauthenticated users can trigger requireDefaultRecords() on DataObject classes and view information about modified database tables.