Auth bypass in Ash-project Ash

CVE-2025-48042

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/b…

Vulnerability class: Broken Access Control

EPSS: 0.001 (25.6th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2025-48042?
CVE-2025-48042 is a vulnerability in Ash-project Ash, classified under Incorrect Authorization. Published 2025-09-07.
Is CVE-2025-48042 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.