TL;DR
I ended up with another Sharp CVE: CVE-2026-53634.
This one was about the Quick Creation Command feature.
The vulnerable part was simple:
- the create endpoint did not enforce authorization
- the store endpoint did not enforce authorization either
So an authenticated Sharp user without create permission on a given entity could still reach the quick creation flow for that entity, as long as a quickCreationCommandHandler() had been configured for it.
That meant they could:
- retrieve the creation form
- and in some cases submit new records they should never have been allowed to create
Why this one mattered
The authorization check was just missing where it actually mattered.
From the outside, everything may still look permission-aware because the app has a create policy, the entity exists, and the user is inside an authenticated admin context.
But once one feature path forgets to apply the same rule, the whole permission boundary becomes fake for that path.
That is exactly what happened here.
The bug
According to the advisory, the vulnerable surface was the Quick Creation Command feature.
The quick creation endpoints accepted requests from authenticated Sharp users, but did not verify whether the caller actually had permission to create that entity.
So if an entity exposed a quick creation handler, a user who lacked normal create permission could still hit those endpoints directly and bypass the authorization layer.
The UI is not the main story here. The real issue is that the backend route path itself forgot to ask the authorization question.
The advisory did not publish controller code, but it did pin the vulnerable shape closely enough:
quickCreationCommandHandler()create endpointstore endpointThat was the useful part here. If the entity had quick creation enabled, both steps in the flow were reachable without the expected create check.
What an attacker gets
The public impact is straightforward:
- unauthorized access to the quick creation form
- unauthorized record creation for entities wired into the quick creation command flow
That makes this primarily an integrity issue, not a confidentiality bug.
The public advisory reflects that with:
- Severity:
Moderate - CVSS:
4.3 - Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected versions
The advisory lists:
- Package:
code16/sharp - Affected:
>= 9.0.0, < 9.22.3 - Patched:
9.22.3 - CVE:
CVE-2026-53634
Workaround
If upgrading is not immediately possible, the advisory recommends removing or disabling quickCreationCommandHandler() on entity lists where unauthorized access would matter.
That does not fix the root cause, but it does reduce the exposed surface until the package is upgraded.