CVE-2026-48067 — Filament has inconsistent scope enforcement for its AttachAction and AssociateAc

Description

The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.

How to fix CVE-2026-48067

To remediate CVE-2026-48067, upgrade the affected package to a fixed version below.

—upgrade to 4.11.4 or later
—upgrade to 3.3.51 or later

Is CVE-2026-48067 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48067.

Affected packages (2)

>= 4.0.0, < 4.11.4
>= 3.0.0, < 3.3.51

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (5)

PATCHgithub.com/filamentphp/filament
WEBgithub.com/filamentphp/filament/releases/tag/v3.3.51
WEBgithub.com/filamentphp/filament/releases/tag/v4.11.4
WEBgithub.com/filamentphp/filament/releases/tag/v5.6.4