CVE-2026-48067: Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component’s state and submit an out-of-scope value.
References
- github.com/advisories/GHSA-7q3w-xqjw-g3cr
- github.com/filamentphp/filament/releases/tag/v3.3.51
- github.com/filamentphp/filament/releases/tag/v4.11.4
- github.com/filamentphp/filament/releases/tag/v5.6.4
- github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr
- nvd.nist.gov/vuln/detail/CVE-2026-48067
Code Behaviors & Features
Detect and mitigate CVE-2026-48067 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →