CVE-2026-54497: ViewComponent: Reused Component Instances Retain Stale Render Context
ViewComponent::Base instances retain multiple render-scoped objects across calls to render_in. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, view_flow, format/variant details, and slot child context from an earlier render.
This can cause authorization-aware components to render privileged UI for a lower-privileged user, generate links using a stale Host header, leak slot/helper state, and mix request context under concurrent rendering.
References
- github.com/ViewComponent/view_component/commit/7b05073be28037f7d5ff141e9dd42f3cf47956a4
- github.com/ViewComponent/view_component/releases/tag/v4.12.0
- github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49
- github.com/advisories/GHSA-9h85-g7w3-rh49
- github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54497.yml
- nvd.nist.gov/vuln/detail/CVE-2026-54497
- www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
Code Behaviors & Features
Detect and mitigate CVE-2026-54497 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →