What is DevGuard and What is the Vulnerability?
DevGuard is a tool used for managing vulnerabilities, and it has been found to have an improper authorization issue on public assets. This vulnerability, identified as CVE-2026-48089 with a severity score of 7.1, allows any authenticated user—regardless of their membership or role in the affected organization or project—to perform various actions on public assets. These actions include creating, updating, reapplying, and deleting VEX (Vulnerability Exploitability eXchange) rules, as well as affecting other vulnerability-triage write endpoints.
Impact of the Vulnerability
The primary impact of this vulnerability is on the integrity of the vulnerability picture of public assets. An attacker with a valid account on the instance, but without any membership in the victim organization, project, or asset, can manipulate the vulnerability data. This manipulation can include marking CVEs as false-positive, silencing vulnerabilities, attaching misleading justifications, or deleting legitimate triage rules. Since public assets are consumed by third parties, such as downstream users and supply-chain consumers, the trustworthiness of the affected asset's VEX/SBOM (Software Bill of Materials) output is undermined.
Who is Affected?
This vulnerability affects DevGuard instances with one or more public assets. Private assets are not affected because access to them is correctly gated by organization/project membership.
Solution and Workaround
The solution to this vulnerability is to upgrade to version v1.4.2 of DevGuard, which contains a patch. As a workaround, if an immediate upgrade is not possible, affected assets should be made non-public. This involves switching the visibility from public to private in the asset settings, which removes the public-read exemption and restores correct authorization on all write endpoints for that asset.