CVE-2026-1774
Published: 10 February 2026
Summary
CVE-2026-1774 is a critical-severity an unspecified weakness vulnerability in Mitre (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1774 is a prototype pollution vulnerability in CASL Ability, affecting versions 2.4.0 through 6.7.4. CASL Ability is a JavaScript library package used for defining and checking user permissions and abilities, as indicated by its GitHub repository at stalniy/casl/packages/casl-ability. The vulnerability was published on 2026-02-10 and carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to pollute JavaScript object prototypes and manipulate application behavior, such as bypassing access controls or executing arbitrary code.
Advisories and references, including the CERT vulnerability note at kb.cert.org/vuls/id/458422, the CWE-1321 definition at cwe.mitre.org/data/definitions/1321.html, and Mozilla Developer Network documentation on prototype pollution, provide additional context on the issue, though specific patch or mitigation guidance is detailed in those sources and the CASL GitHub repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7071
Vulnerability details
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution enables remote code execution or auth bypass in a JS permissions library, directly mapping to public-facing app exploitation and JS interpreter abuse.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching directly eliminates the prototype pollution vulnerability in CASL Ability versions 2.4.0 through 6.7.4.
Vulnerability scanning identifies deployed instances of the vulnerable CASL Ability library, enabling proactive remediation.
Input validation prevents malicious payloads from reaching CASL Ability functions that are susceptible to prototype pollution.