Auth bypass in Ash-project Ash

CVE-2025-48044

Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue a…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.8th percentile) — read the EPSS interpretation.

Affected products

Ash-project Ash — versions 3.6.3, 79749c2685ea031ebb2de8cf60cc5edced6a8dd0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

github.com/ash-project/ash/security/advisories/GHSA-pcxq-fjp3-r752 (vendor-advisory, related)
cna.erlef.org/cves/CVE-2025-48044.html (related)
osv.dev/vulnerability/EEF-CVE-2025-48044 (related)
github.com/ash-project/ash/commit/8b83efa225f657bfc3656ad8ee8485f9b2de923d (patch)