TL;DR
I ended up with another Sharp CVE: CVE-2026-53634.
This one was about the Quick Creation Command feature.
The vulnerable part was simple:
- the create endpoint did not enforce authorization
- the store endpoint did not enforce authorization either
So an authenticated Sharp user without create permission on a given entity could still reach the quick creation flow for that entity, as long as a quickCreationCommandHandler() had been configured for it.
That meant they could:
- retrieve the creation form
- and in some cases submit new records they should never have been allowed to create
Why this one mattered
I like bugs like this because they are not trying to be clever.
The authorization check was just missing where it actually mattered.
From the outside, everything may still look permission-aware because the app has a create policy, the entity exists, and the user is inside an authenticated admin context.
But once one feature path forgets to apply the same rule, the whole permission boundary becomes fake for that path.
That is exactly what happened here.
The bug
According to the advisory, the vulnerable surface was the Quick Creation Command feature.
The quick creation endpoints accepted requests from authenticated Sharp users, but did not verify whether the caller actually had permission to create that entity.
So if an entity exposed a quick creation handler, a user who lacked normal create permission could still hit those endpoints directly and bypass the authorization layer.
This is one of those bugs where the UI is not the main story. The real issue is that the backend route path itself forgot to ask the authorization question.
What an attacker gets
The public impact is straightforward:
- unauthorized access to the quick creation form
- unauthorized record creation for entities wired into the quick creation command flow
That makes this primarily an integrity issue, not a confidentiality bug.
The public advisory reflects that with:
- Severity:
Moderate - CVSS:
4.3 - Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected versions
The advisory lists:
- Package:
code16/sharp - Affected:
>= 9.0.0, < 9.22.3 - Patched:
9.22.3 - CVE:
CVE-2026-53634
Workaround
If upgrading is not immediately possible, the advisory recommends removing or disabling quickCreationCommandHandler() on entity lists where unauthorized access would matter.
That does not fix the root cause, but it does reduce the exposed surface until the package is upgraded.
The part I liked
What makes bugs like this good is how easy they are to explain.
The permission model says “this user cannot create this entity.”
But a secondary feature path says “sure, go ahead.”
That mismatch is usually enough on its own.
No weird chain needed.
Reference
