Broken Object Level Authorization in Ruby on Rails (Avo) [CVE-2026-42205]

Broken Object Level Authorization (BOLA) vulnerabilities allow an attacker to access or modify resources outside their permitted scope. In the real-world CVE-2026-42205, the Avo framework for Ruby on Rails prior to 3.31.2 allowed an authenticated user to bypass resource-specific access controls by exploiting insecure action lookup in the ActionsController. Because the code could instantiate any Action subclass (descendants of Avo::BaseAction) based on user-supplied input, an attacker could trigger actions on resources they should not be able to touch, enabling privilege escalation and unauthorized data manipulation across the application. This aligns with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass) and demonstrates how a broken object-level authorization path can be weaponized in a Rails app. Exploitation in this context often involved taking input that selects an action class by name (e.g., via params) and then dynamically constantizing and instantiating that class without validating whether the action is registered or allowed for the targeted resource. An authenticated attacker could therefore execute an Action class on any resource, even if that action wasn't meant to apply to that resource, leading to data exposure, modification, or deletion across the app. Remediation focuses on defense in depth: upgrade to Avo 3.31.2 or later, implement explicit allowlisting or registry-based validation of permitted actions per resource, and avoid unfiltered dynamic lookup of classes from user input. Integrate Rails-style authorization checks (Pundit, CanCanCan) or resource-scoped policies, and add tests that cover registration and boundary cases to prevent regressions.