{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/authorization-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Quarkus Vertx HTTP (\u003c 3.20.6.1)","Quarkus Vertx HTTP (\u003e= 3.21.0, \u003c 3.27.3.1)","Quarkus Vertx HTTP (\u003e= 3.30.0, \u003c 3.33.1.1)","Quarkus Vertx HTTP (\u003e= 3.34.0, \u003c 3.35.1.1)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability exists in Quarkus Vertx HTTP versions \u0026lt; 3.20.6.1, \u0026gt;= 3.21.0 and \u0026lt; 3.27.3.1, \u0026gt;= 3.30.0 and \u0026lt; 3.33.1.1, and \u0026gt;= 3.34.0 and \u0026lt; 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (\u003ccode\u003e;\u003c/code\u003e) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus\u0026rsquo;s security layer checks the raw URL path, while RESTEasy Reactive\u0026rsquo;s routing layer strips matrix parameters before matching endpoints. This means a request like \u003ccode\u003e/api/admin;anything\u003c/code\u003e can bypass authorization for \u003ccode\u003e/api/admin\u003c/code\u003e while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected endpoint, such as \u003ccode\u003e/api/admin\u003c/code\u003e, that requires authentication or specific privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as \u003ccode\u003e/api/admin;anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Quarkus Vertx HTTP server.\u003c/li\u003e\n\u003cli\u003eQuarkus\u0026rsquo;s security layer performs an authorization check on the raw URL path \u003ccode\u003e/api/admin;anything\u003c/code\u003e, which may not match the intended authorization rules for \u003ccode\u003e/api/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRESTEasy Reactive\u0026rsquo;s routing layer strips the matrix parameters (\u003ccode\u003e;anything\u003c/code\u003e) from the URL, resulting in the endpoint \u003ccode\u003e/api/admin\u003c/code\u003e being matched.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the protected endpoint \u003ccode\u003e/api/admin\u003c/code\u003e, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Quarkus Vertx HTTP to a patched version (\u0026gt;= 3.20.6.1, \u0026gt;= 3.27.3.1, \u0026gt;= 3.33.1.1, \u0026gt;= 3.35.1.1) to remediate CVE-2026-39852.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Quarkus Authorization Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the \u003ccode\u003eMonitor Semicolons in URL Path\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:20:20Z","date_published":"2026-05-04T17:20:20Z","id":"/briefs/2026-05-quarkus-auth-bypass/","summary":"Quarkus Vertx HTTP versions \u003c 3.20.6.1, \u003e= 3.21.0 and \u003c 3.27.3.1, \u003e= 3.30.0 and \u003c 3.33.1.1, and \u003e= 3.34.0 and \u003c 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.","title":"Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters","url":"https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4119"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authorization-bypass","plugin-vulnerability","cve-2026-4119"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin\u0026rsquo;s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the action parameter set to \u003ccode\u003eadd_table\u003c/code\u003e or \u003ccode\u003edelete_db_table\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003edb_table\u003c/code\u003e parameter with the name of the table to be deleted, if exploiting the \u003ccode\u003edelete_db_table\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks, because \u003ccode\u003ecurrent_user_can()\u003c/code\u003e and \u003ccode\u003ewp_verify_nonce()\u003c/code\u003e are missing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecdbt_delete_db_table()\u003c/code\u003e function executes a \u003ccode\u003eDROP TABLE\u003c/code\u003e SQL query based on the user-supplied \u003ccode\u003edb_table\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a critical WordPress core table like \u003ccode\u003ewp_users\u003c/code\u003e or \u003ccode\u003ewp_options\u003c/code\u003e, the site\u0026rsquo;s functionality will be severely impacted.\u003c/li\u003e\n\u003cli\u003eAlternatively, if exploiting the \u003ccode\u003eadd_table\u003c/code\u003e action, the \u003ccode\u003ecdbt_create_new_table()\u003c/code\u003e function executes a \u003ccode\u003eCREATE TABLE\u003c/code\u003e SQL query, creating an arbitrary database table.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the \u003ccode\u003ewp_users\u003c/code\u003e table, effectively locking out all administrators and other users, or delete the \u003ccode\u003ewp_options\u003c/code\u003e table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with \u003ccode\u003eaction=delete_db_table\u003c/code\u003e or \u003ccode\u003eaction=add_table\u003c/code\u003e (see rule: \u0026ldquo;Detect Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the vulnerable actions unless originating from an administrator (see rule: \u0026ldquo;WAF - Block Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:49Z","date_published":"2026-04-22T09:16:49Z","id":"/briefs/2026-04-wordpress-create-db-tables-auth-bypass/","summary":"The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.","title":"WordPress Create DB Tables Plugin Authorization Bypass Vulnerability (CVE-2026-4119)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["paperclipai","gmail","openai","authorization bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists within the Paperclip AI ecosystem, specifically affecting the \u003ccode\u003ecodex_local\u003c/code\u003e runtime environment. The core issue stems from a trust-boundary failure, where a Paperclip-managed \u003ccode\u003ecodex_local\u003c/code\u003e runtime gains unauthorized access to Gmail connectors that were previously configured within the broader ChatGPT/OpenAI apps UI. This unintended inheritance of connector permissions allows the \u003ccode\u003ecodex_local\u003c/code\u003e environment to perform actions, such as reading emails and sending messages, without explicit authorization within Paperclip itself. This is further complicated by the \u003ccode\u003ecodex_local\u003c/code\u003e runtime\u0026rsquo;s default setting of \u003ccode\u003edangerouslyBypassApprovalsAndSandbox\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e, which effectively disables security controls and amplifies the risk associated with the connector access.  This issue was identified in Paperclip versions up to and including 2026.403.0. Successful exploitation bypasses intended permission boundaries and poses a significant risk to user data and privacy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser connects their Gmail account within the ChatGPT/OpenAI apps UI for use with other OpenAI services.\u003c/li\u003e\n\u003cli\u003eA self-hosted Paperclip instance is deployed, utilizing the \u003ccode\u003ecodex_local\u003c/code\u003e runtime.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003ecodex_local\u003c/code\u003e agent is created and initiated, operating under default settings, which include \u003ccode\u003edangerouslyBypassApprovalsAndSandbox = true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecodex_local\u003c/code\u003e runtime accesses cached OpenAI curated connector state for Gmail found within the \u003ccode\u003ecodex-home/plugins/cache/openai-curated/gmail/.../.app.json\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe agent executes a task designed to inspect mailbox contents, leveraging the inherited Gmail connector.\u003c/li\u003e\n\u003cli\u003eThe agent makes successful \u003ccode\u003emcp__codex_apps__gmail_get_profile\u003c/code\u003e, \u003ccode\u003emcp__codex_apps__gmail_search_emails\u003c/code\u003e, and \u003ccode\u003emcp__codex_apps__gmail_send_email\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eAn email is sent from the user\u0026rsquo;s Gmail account to an unintended recipient without explicit user authorization or Paperclip configuration.\u003c/li\u003e\n\u003cli\u003eSubsequent \u0026ldquo;retraction\u0026rdquo; emails are sent, further demonstrating the persistent and unauthorized write access to the Gmail account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe unauthorized access to Gmail connectors through Paperclip\u0026rsquo;s \u003ccode\u003ecodex_local\u003c/code\u003e runtime has severe consequences. It enables attackers to perform actions, such as disclosing mailbox identity, accessing email threads, and sending emails to external third parties without explicit user consent. In a real-world scenario, this resulted in the sending of an email from a user\u0026rsquo;s personal Gmail account to an unintended external recipient, and follow-up retraction messages, highlighting the potential for significant reputational damage and data breaches. The inherent trust boundary failure and unsafe default settings significantly amplify the risk, making it critical to address these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable or restrict the default inheritance of OpenAI app connectors within Paperclip-managed \u003ccode\u003ecodex_local\u003c/code\u003e runs to prevent unintended access to services like Gmail.\u003c/li\u003e\n\u003cli\u003eImplement a default-deny policy for send/write connectors, requiring explicit Paperclip-side opt-in before any outward actions are permitted.\u003c/li\u003e\n\u003cli\u003eModify the \u003ccode\u003ecodex_local\u003c/code\u003e runtime defaults to ensure safer configurations, including setting \u003ccode\u003edangerouslyBypassApprovalsAndSandbox = false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect unauthorized Gmail API calls originating from the Paperclip environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T22:47:40Z","date_published":"2026-04-16T22:47:40Z","id":"/briefs/2024-02-paperclip-gmail-access/","summary":"A Paperclip-managed `codex_local` runtime can access and utilize Gmail connectors connected in the ChatGPT/OpenAI apps UI without explicit Paperclip configuration, allowing unauthorized mailbox access and email sending capabilities due to a trust-boundary failure and dangerous default runtime settings.","title":"Paperclip codex_local Unauthorized Gmail Access","url":"https://feed.craftedsignal.io/briefs/2024-02-paperclip-gmail-access/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-40185"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-40185","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTREK is a collaborative travel planning application. Prior to version 2.7.2, a critical vulnerability existed within the application related to authorization checks. Specifically, the Immich trip photo management routes lacked proper authorization checks. This flaw, identified as CVE-2026-40185, could potentially allow unauthorized users to access and manipulate trip photos if exploited. The vulnerability was reported by GitHub, Inc. and patched in version 2.7.2 of TREK. Defenders should ensure they are running version 2.7.2 or later of the TREK application to mitigate this risk. This vulnerability affects systems running the vulnerable versions of the TREK application and could impact the confidentiality and integrity of user data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable TREK instance running a version prior to 2.7.2.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization checks, the attacker bypasses authentication requirements.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to trip photos.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify or delete trip photos, impacting data integrity.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed data to gather sensitive information about the trip and its participants.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially upload malicious images to the photo storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40185 can lead to unauthorized access and modification of trip photos within the TREK travel planner application. While the exact number of affected users is unknown, any TREK instance running a version prior to 2.7.2 is susceptible. This could result in a breach of confidentiality, potential data manipulation, and reputational damage for the application. Sectors that rely on collaborative travel planning may be particularly affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all TREK instances to version 2.7.2 or later to remediate CVE-2026-40185.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious TREK Photo Route Access\u003c/code\u003e to detect potential exploitation attempts targeting the vulnerable photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to the Immich trip photo management routes.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns or connections to the TREK server that might indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-trek-auth-bypass/","summary":"TREK collaborative travel planner before version 2.7.2 is vulnerable to missing authorization checks on the Immich trip photo management routes, potentially allowing unauthorized access to trip photos.","title":"TREK Travel Planner Missing Authorization Vulnerability (CVE-2026-40185)","url":"https://feed.craftedsignal.io/briefs/2026-04-trek-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-32252"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chartbrew","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChartbrew, an open-source web application used for creating charts from databases and APIs, is vulnerable to a cross-tenant authorization bypass (CVE-2026-32252) in versions prior to 4.9.0. This vulnerability resides in the GET /team/:team_id/template/generate/:project_id endpoint. Specifically, the \u003ccode\u003echeckAccess\u003c/code\u003e function doesn\u0026rsquo;t await its promise and fails to validate if the \u003ccode\u003eproject_id\u003c/code\u003e belongs to the specified \u003ccode\u003eteam_id\u003c/code\u003e or the attacker\u0026rsquo;s team. This allows an authenticated attacker with template generation permissions in their own team to request and receive template model data for projects belonging to other teams. Upgrading to version 4.9.0 or later resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eteam_id\u003c/code\u003e belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eproject_id\u003c/code\u003e belonging to the victim team. This may require some level of prior knowledge or reconnaissance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a GET request to \u003ccode\u003e/team/:victim_team_id/template/generate/:victim_project_id\u003c/code\u003e, replacing \u003ccode\u003e:victim_team_id\u003c/code\u003e and \u003ccode\u003e:victim_project_id\u003c/code\u003e with the identified values.\u003c/li\u003e\n\u003cli\u003eThe Chartbrew server receives the request and calls the \u003ccode\u003echeckAccess\u003c/code\u003e function, but does not await the promise.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation of the \u003ccode\u003eproject_id\u003c/code\u003e against the \u003ccode\u003eteam_id\u003c/code\u003e and the caller\u0026rsquo;s team, the authorization check is bypassed.\u003c/li\u003e\n\u003cli\u003eThe server retrieves the template model data associated with the victim\u0026rsquo;s project.\u003c/li\u003e\n\u003cli\u003eThe server returns the victim\u0026rsquo;s project data to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim\u0026rsquo;s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Chartbrew Template Generation Request\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests to the \u003ccode\u003e/team/*/template/generate/*\u003c/code\u003e endpoint using a WAF or similar tool.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:16:21Z","date_published":"2026-04-10T20:16:21Z","id":"/briefs/2024-01-03-chartbrew-auth-bypass/","summary":"Chartbrew versions prior to 4.9.0 are vulnerable to a cross-tenant authorization bypass, allowing an authenticated attacker to access project data belonging to other teams.","title":"Chartbrew Cross-Tenant Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chartbrew-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","acl","file upload","file deletion","CVE-2026-40189"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by \u003ccode\u003e.goshs\u003c/code\u003e files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Goshs instance utilizing \u003ccode\u003e.goshs\u003c/code\u003e files for access control.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:18-60\u003c/code\u003e. Example: \u003ccode\u003ePUT /protected/put-created.txt\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends an unauthenticated multipart POST request to \u003ccode\u003e/upload\u003c/code\u003e endpoint to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:63-165\u003c/code\u003e. Example: \u003ccode\u003ePOST /protected/upload\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?mkdir\u003c/code\u003e parameter to create a directory within the protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/handler.go:901-937\u003c/code\u003e. Example: \u003ccode\u003e/?mkdir=new_directory\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?delete\u003c/code\u003e parameter targeting the \u003ccode\u003e.goshs\u003c/code\u003e file within the protected directory, leveraging the vulnerable route in \u003ccode\u003ehttpserver/handler.go:679-698\u003c/code\u003e. Example: \u003ccode\u003e/.goshs?delete\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe server deletes the \u003ccode\u003e.goshs\u003c/code\u003e file using \u003ccode\u003eos.RemoveAll()\u003c/code\u003e, effectively removing the access control restrictions for the directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the \u003ccode\u003e.goshs\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated .goshs Deletion\u0026rdquo; to your SIEM to detect attempts to remove \u003ccode\u003e.goshs\u003c/code\u003e ACL files via the \u003ccode\u003e?delete\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated PUT Request to Protected Directories\u0026rdquo; to detect unauthorized file uploads to protected directories.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT, POST, and DELETE requests targeting directories containing \u003ccode\u003e.goshs\u003c/code\u003e files to identify potential exploitation attempts. (Log Source: webserver)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:02:46Z","date_published":"2026-04-10T20:02:46Z","id":"/briefs/2026-04-goshs-acl-bypass/","summary":"Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.","title":"Goshs File-Based ACL Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5842"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","authorization-bypass","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security vulnerability, CVE-2026-5842, affects decolua 9router versions up to 0.3.47. The vulnerability resides within an unknown function of the \u003ccode\u003e/api\u003c/code\u003e endpoint, specifically the Administrative API. Successful exploitation of this flaw allows a remote attacker to bypass authorization controls, potentially gaining administrative privileges. A public exploit for this vulnerability has been disclosed, increasing the risk of exploitation. Organizations using vulnerable versions of decolua 9router should upgrade to version 0.3.75 as soon as possible to mitigate the risk. This vulnerability was published on April 9, 2026 and poses a significant threat due to the availability of a public exploit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable decolua 9router instance running a version prior to 0.3.75.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits the authorization bypass vulnerability in the targeted function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application fails to properly validate the attacker\u0026rsquo;s authorization, granting them access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to administrative functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized access to modify router configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially perform actions like changing DNS settings, creating rogue user accounts, or disrupting network services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5842 allows attackers to bypass authorization and gain unauthorized administrative access to the decolua 9router. This can lead to complete compromise of the router, allowing attackers to eavesdrop on network traffic, redirect traffic to malicious sites, or disrupt network services. Given the availability of a public exploit, vulnerable routers are at high risk of compromise. This vulnerability can have severe consequences for both home and business networks relying on decolua 9router.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all decolua 9router instances to version 0.3.75 or later to remediate CVE-2026-5842.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/api\u003c/code\u003e endpoint using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to restrict access to the administrative interface of the router.\u003c/li\u003e\n\u003cli\u003eReview and audit existing router configurations for any unauthorized changes after applying the provided Sigma rule to detect any potential intrusions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T05:16:06Z","date_published":"2026-04-09T05:16:06Z","id":"/briefs/2026-04-decolua-auth-bypass/","summary":"CVE-2026-5842 is an authorization bypass vulnerability in decolua 9router versions up to 0.3.47, allowing remote attackers to gain unauthorized access via manipulation of the /api endpoint.","title":"Decolua 9router Authorization Bypass Vulnerability (CVE-2026-5842)","url":"https://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-35604"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["filebrowser","authorization-bypass","github-advisory","cve-2026-35604"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFile Browser versions prior to 2.63.1 contain an authorization bypass vulnerability. Specifically, when an administrator revokes a user\u0026rsquo;s share and download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The vulnerability exists because the public share download handler (\u003ccode\u003ehttp/public.go\u003c/code\u003e) does not re-check the share owner\u0026rsquo;s current permissions when serving shared files. This can lead to unauthorized data access and a false sense of security for administrators who believe that revoking permissions immediately terminates access to shared resources. The issue was verified against version 2.62.2 (commit 860c19d).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator creates a user account with Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe user logs in and creates a share link for a file (e.g., \u003ccode\u003esecret.txt\u003c/code\u003e). The system generates a hash (e.g., \u003ccode\u003efB4Qwtsn\u003c/code\u003e) associated with the share.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user accesses the file via the share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e), successfully downloading the content.\u003c/li\u003e\n\u003cli\u003eThe administrator revokes the user\u0026rsquo;s Share and Download permissions via the API, modifying the user\u0026rsquo;s record in the system.\u003c/li\u003e\n\u003cli\u003eThe revoked user attempts to create a new share link and is correctly denied access (403 Forbidden).\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user attempts to access the file using the previously created share link (e.g., \u003ccode\u003e/api/public/dl/fB4Qwtsn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system retrieves the share link information but fails to validate if the original user still possesses Share and Download permissions.\u003c/li\u003e\n\u003cli\u003eThe system serves the file, bypassing the intended authorization restrictions and granting unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows unauthorized access to files shared through File Browser, even after an administrator has revoked the share creator\u0026rsquo;s permissions. This can result in data breaches, as users who should no longer have access to shared resources can still retrieve them via existing share links. The administrator may believe that revoking permissions immediately stops all sharing, leading to a false sense of security. This is particularly impactful in environments where sensitive data is shared via File Browser and access control is critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade File Browser to version 2.63.1 or later to patch CVE-2026-35604.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to \u003ccode\u003e/api/public/dl/*\u003c/code\u003e endpoints (logsource: webserver, product: linux/windows) after revoking user permissions; correlate with user permission changes.\u003c/li\u003e\n\u003cli\u003eImplement the suggested fix by adding permission re-validation in \u003ccode\u003ewithHashFile\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:04:59Z","date_published":"2026-04-08T00:04:59Z","id":"/briefs/2026-04-filebrowser-share-bypass/","summary":"File Browser share links remain accessible after Share/Download permissions are revoked, allowing continued access to shared files even after an administrator revokes the user's permissions.","title":"File Browser Share Links Accessible After Permission Revocation","url":"https://feed.craftedsignal.io/briefs/2026-04-filebrowser-share-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39331"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39331","churchcrm","authorization-bypass","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, and \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ChurchCRM API with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u003ccode\u003efamilyId\u003c/code\u003e that they do not have explicit modification rights for.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to one of the vulnerable endpoints: \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, or \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in the request URL with the target \u003ccode\u003efamilyId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor example, the attacker sends a POST request to \u003ccode\u003e/family/123/activate/false\u003c/code\u003e to deactivate family with ID 123.\u003c/li\u003e\n\u003cli\u003eDue to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary \u003ccode\u003eEditRecords\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe target family\u0026rsquo;s state is modified (e.g., deactivated, marked as verified).\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the vulnerable API endpoints (\u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e) as detected by the Sigma rule \u0026ldquo;ChurchCRM Family ID Manipulation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.\u003c/li\u003e\n\u003cli\u003eReview and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:44Z","date_published":"2026-04-07T18:16:44Z","id":"/briefs/2026-04-churchcrm-auth-bypass/","summary":"An authenticated API user of ChurchCRM prior to v7.1.0 can bypass authorization checks and modify arbitrary family records by manipulating the familyId parameter in API requests, leading to privilege escalation and potential data manipulation.","title":"ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-22683"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["windmill","authorization-bypass","privilege-escalation","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWindmill, a low-code internal tool platform, contains a critical missing authorization vulnerability, tracked as CVE-2026-22683, affecting versions 1.56.0 through 1.614.0. The vulnerability stems from a failure to properly enforce role-based access controls within the backend API. Specifically, users assigned the \u0026ldquo;Operator\u0026rdquo; role, who are intended to have limited privileges and be restricted from creating or modifying entities, can bypass these restrictions.  This allows Operators to create and modify scripts, flows, apps, and raw_apps, effectively exceeding their intended permissions. Given that Operators can also execute scripts through the jobs API, this authorization bypass facilitates a direct path to privilege escalation and potentially remote code execution within the Windmill environment. Defenders should prioritize patching and detection efforts to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises or is assigned an \u0026ldquo;Operator\u0026rdquo; role within the Windmill platform.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Windmill backend API using their Operator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to create a new script, flow, app, or raw_app, bypassing the intended authorization checks for Operator roles.\u003c/li\u003e\n\u003cli\u003eThe Windmill API processes the request without properly validating the Operator\u0026rsquo;s permissions, allowing the entity creation to proceed.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a script containing malicious code designed to escalate privileges or execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the jobs API to execute the newly created malicious script.\u003c/li\u003e\n\u003cli\u003eThe script executes with elevated privileges within the Windmill deployment environment.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially compromising the entire Windmill instance and connected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-22683 can lead to complete compromise of the Windmill instance. An attacker leveraging an Operator account can gain remote code execution capabilities. The missing authorization can lead to full control over the Windmill instance, potentially affecting all applications, flows, and scripts managed within the platform. Given the nature of Windmill as an internal tool platform, this could expose sensitive internal data and systems to unauthorized access. The number of affected organizations depends on the adoption rate of Windmill within the affected version range.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Windmill instances to a patched version beyond 1.614.0 to remediate CVE-2026-22683.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Windmill Unauthorized Entity Creation\u003c/code\u003e to detect attempts to create scripts, flows, apps, or raw_apps from Operator accounts via the API.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Windmill Job Execution of Newly Created Entities\u003c/code\u003e to detect the execution of scripts, flows, apps or raw_apps that were recently created.\u003c/li\u003e\n\u003cli\u003eMonitor Windmill API logs for suspicious activity related to entity creation and modification, focusing on requests originating from Operator accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:27Z","date_published":"2026-04-07T17:16:27Z","id":"/briefs/2024-02-29-windmill-auth-bypass/","summary":"Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability (CVE-2026-22683) that allows users with the Operator role to bypass intended restrictions and perform unauthorized entity creation and modification actions via the backend API, potentially leading to privilege escalation and remote code execution.","title":"Windmill Missing Authorization Vulnerability (CVE-2026-22683)","url":"https://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ajenti","authorization-bypass","privilege-escalation","CVE-2026-35175"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAjenti is a web-based system administration panel. Prior to version 2.2.15, a flaw exists in the \u003ccode\u003eauth_users\u003c/code\u003e authentication plugin that permits authenticated users lacking superuser privileges to install custom packages. This vulnerability, identified as CVE-2026-35175, allows a low-privileged user to bypass intended authorization checks, potentially escalating their privileges and compromising the entire system. An attacker could leverage this vulnerability to install malicious packages, execute arbitrary code with elevated privileges, and gain unauthorized access to sensitive data or system functionalities. Organizations using vulnerable versions of Ajenti are at risk of internal privilege escalation attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Ajenti web panel with a valid, non-superuser account using the \u003ccode\u003eauth_users\u003c/code\u003e plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the custom package installation feature within the Ajenti web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious custom package designed to execute arbitrary commands or install backdoors.\u003c/li\u003e\n\u003cli\u003eAjenti fails to properly validate the user\u0026rsquo;s privileges before initiating the package installation process.\u003c/li\u003e\n\u003cli\u003eThe malicious package is installed with the privileges of the Ajenti process, which may include elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe malicious package executes its payload, potentially installing a reverse shell, creating new administrative accounts, or modifying critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the installed backdoor or elevated privileges to gain persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated, non-superuser user to execute arbitrary code with elevated privileges. This can lead to full system compromise, data theft, and disruption of services. While the precise number of affected installations is unknown, any organization running Ajenti versions prior to 2.2.15 with the \u003ccode\u003eauth_users\u003c/code\u003e authentication plugin enabled is vulnerable. The impact includes potential data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Ajenti to version 2.2.15 or later to patch CVE-2026-35175 (see References).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Ajenti Package Installation\u003c/code\u003e to detect unauthorized package installations.\u003c/li\u003e\n\u003cli\u003eReview Ajenti access logs for unusual activity or attempts to access restricted functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:57:43Z","date_published":"2026-04-03T03:57:43Z","id":"/briefs/2026-04-ajenti-auth-bypass/","summary":"Ajenti versions before 2.2.15 contain an authorization bypass vulnerability that allows authenticated non-superuser users to install custom packages, potentially leading to privilege escalation and system compromise.","title":"Ajenti Authorization Bypass Vulnerability (CVE-2026-35175)","url":"https://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-32725"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe SciTokens C++ library, a minimal library for creating and using SciTokens, contains an authorization bypass vulnerability (CVE-2026-32725) in versions prior to 1.4.1. This flaw stems from the library\u0026rsquo;s handling of path-based scopes within tokens. Specifically, the library normalizes the scope path from the token before authorization but improperly collapses \u0026ldquo;..\u0026rdquo; path components instead of rejecting them. This can lead to a significant security risk, allowing attackers to manipulate scope claims and gain unauthorized access. The vulnerability was reported on March 31, 2026 and patched in version 1.4.1. Organizations using affected versions of scitokens-cpp are at risk of privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a SciToken with a malicious scope claim containing \u0026ldquo;..\u0026rdquo; sequences.\u003c/li\u003e\n\u003cli\u003eThe SciToken is presented to a service using scitokens-cpp for authorization.\u003c/li\u003e\n\u003cli\u003eThe scitokens-cpp library normalizes the scope path.\u003c/li\u003e\n\u003cli\u003eInstead of rejecting the \u0026ldquo;..\u0026rdquo; sequence, the library collapses it, effectively traversing to parent directories.\u003c/li\u003e\n\u003cli\u003eThe authorization check is performed against the manipulated scope.\u003c/li\u003e\n\u003cli\u003eDue to the altered scope, the attacker gains access to resources outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this elevated access to perform unauthorized actions.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32725 allows attackers to bypass intended authorization controls within applications using the SciTokens C++ library. By crafting tokens with manipulated scope claims, attackers can gain unauthorized access to sensitive resources and escalate their privileges. This could lead to data breaches, system compromise, and other severe consequences. Organizations relying on scitokens-cpp for access control are vulnerable until they update to version 1.4.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the scitokens-cpp library to version 1.4.1 or later to patch CVE-2026-32725.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SciTokens Scope\u003c/code\u003e to identify potentially malicious tokens being used in your environment.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any components that process SciToken claims to prevent path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T18:16:50Z","date_published":"2026-03-31T18:16:50Z","id":"/briefs/2026-03-scitokens-auth-bypass/","summary":"SciTokens C++ library before 1.4.1 is vulnerable to an authorization bypass (CVE-2026-32725) due to improper path normalization, allowing attackers to escalate privileges by using parent-directory traversal in scope claims.","title":"SciTokens C++ Authorization Bypass Vulnerability (CVE-2026-32725)","url":"https://feed.craftedsignal.io/briefs/2026-03-scitokens-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-32716"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","scitokens","CVE-2026-32716"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSciTokens is a reference library for generating and using SciTokens. Versions prior to 1.9.6 are vulnerable to an authorization bypass. The vulnerability, identified as CVE-2026-32716, stems from incorrect validation of scope paths within the Enforcer component. Instead of performing an exact match, the Enforcer uses a simple prefix match (startswith). This flaw allows a token authorized for a specific path (e.g., \u003ccode\u003e/john\u003c/code\u003e) to also gain unauthorized access to sibling paths sharing the same…\u003c/p\u003e\n","date_modified":"2026-03-31T03:17:16Z","date_published":"2026-03-31T03:17:16Z","id":"/briefs/2026-04-scitokens-auth-bypass/","summary":"SciTokens versions prior to 1.9.6 incorrectly validate scope paths using a prefix match, leading to an authorization bypass vulnerability where a token with access to a specific path can access sibling paths with the same prefix.","title":"SciTokens Authorization Bypass Vulnerability (CVE-2026-32716)","url":"https://feed.craftedsignal.io/briefs/2026-04-scitokens-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34040"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["containerization","authorization bypass","privilege escalation","cve-2026-34040"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMoby is an open-source container framework widely used in containerization deployments. A critical security vulnerability, identified as CVE-2026-34040, affects Moby versions prior to 29.3.1. This flaw enables attackers to bypass configured authorization plugins (AuthZ), potentially granting them unauthorized access to container resources and functionalities. Successful exploitation could lead to privilege escalation within the container environment, allowing attackers to execute arbitrary…\u003c/p\u003e\n","date_modified":"2026-03-31T03:15:57Z","date_published":"2026-03-31T03:15:57Z","id":"/briefs/2026-03-moby-authz-bypass/","summary":"A security vulnerability in Moby (prior to v29.3.1) allows attackers to bypass authorization plugins, potentially leading to unauthorized container access and privilege escalation.","title":"Moby Authorization Plugin Bypass Vulnerability (CVE-2026-34040)","url":"https://feed.craftedsignal.io/briefs/2026-03-moby-authz-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["traefik","grpc","authorization-bypass","cve-2026-33186"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTraefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 \u003ccode\u003e:path\u003c/code\u003e pseudo-header that omits the leading slash (e.g., \u003ccode\u003eService/Method\u003c/code\u003e instead of \u003ccode\u003e/Service/Method\u003c/code\u003e). While…\u003c/p\u003e\n","date_modified":"2026-03-29T15:37:47Z","date_published":"2026-03-29T15:37:47Z","id":"/briefs/2026-04-traefik-grpc-bypass/","summary":"A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback \"allow\" rule is configured.","title":"Traefik gRPC Deny Rule Bypass Vulnerability (CVE-2026-33186)","url":"https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openemr","authorization-bypass","data-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records and medical practice management application, is vulnerable to a significant authorization bypass. Specifically, versions prior to 8.0.0.3 lack proper authorization checks in the \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e AJAX endpoint. This flaw enables any authenticated user, regardless of their assigned role or privileges, to delete procedure orders, patient answers, and specimen records associated with any patient within the OpenEMR system. This vulnerability poses a serious threat to data integrity and confidentiality. The vendor patched this vulnerability in version 8.0.0.3. Defenders should prioritize identifying and patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to an OpenEMR instance, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the OpenEMR web application with their valid, but potentially low-privilege, account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the vulnerable endpoint: \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request specifies the IDs of procedure orders, answers, or specimens that the attacker wishes to delete, regardless of the associated patient.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the OpenEMR application processes the deletion request without verifying the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe specified patient data (procedure orders, answers, or specimens) is permanently deleted from the OpenEMR database.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to delete additional patient data, potentially causing significant disruption or data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe missing authorization vulnerability in OpenEMR allows any authenticated user to delete sensitive patient data, including procedure orders, answers to medical questionnaires, and specimen records. Successful exploitation could lead to data loss, compliance violations (e.g., HIPAA), and disruption of medical practice operations. The precise number of potentially affected OpenEMR instances is unknown, but given the widespread use of OpenEMR in medical practices, the impact could be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenEMR installations to version 8.0.0.3 or later to remediate CVE-2026-34053.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for requests to \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e and investigate any unusual activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-openemr-auth-bypass/","summary":"OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.","title":"OpenEMR Missing Authorization Allows Unauthorized Data Deletion","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32299","connect-cms","authorization-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eConnect-CMS, a content management system, is susceptible to an improper authorization vulnerability (CVE-2026-32299) in versions 1.x up to 1.41.0 and 2.x up to 2.41.0. This flaw allows unauthenticated attackers to potentially retrieve non-public information through the page content retrieval feature. The vulnerability stems from a lack of proper access control checks during content retrieval. Patches are available in versions 1.41.1 and 2.41.1, released by the vendor to address this critical…\u003c/p\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-connect-cms-auth-bypass/","summary":"Connect-CMS versions 1.x up to 1.41.0 and 2.x up to 2.41.0 are vulnerable to improper authorization in the page content retrieval feature, potentially allowing retrieval of non-public information, addressed in versions 1.41.1 and 2.41.1.","title":"Connect-CMS Improper Authorization Vulnerability (CVE-2026-32299)","url":"https://feed.craftedsignal.io/briefs/2026-03-connect-cms-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["credential-access","authorization-bypass","n8n"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA credential authorization bypass vulnerability, identified as CVE-2026-42226, affects n8n versions prior to 2.18.0, specifically in the \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoints. This flaw allows an authenticated user who has access to a shared workflow to exploit the system by supplying a credential ID belonging to another user in the request body. Due to insufficient validation, the n8n backend decrypts and utilizes the specified credential during a helper execution path where the caller controls the destination URL. This enables the malicious user to force the n8n instance to authenticate against attacker-controlled infrastructure using another user\u0026rsquo;s credentials, effectively exfiltrating a reusable API key. The vulnerability impacts any node that dynamically resolves credentials through the affected endpoints. The issue was patched in n8n version 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains access to a shared workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a credential ID belonging to another user within the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a vulnerable \u003ccode\u003edynamic-node-parameters\u003c/code\u003e endpoint, injecting the foreign credential ID into the request body.\u003c/li\u003e\n\u003cli\u003eThe n8n backend, failing to validate the attacker\u0026rsquo;s authorization to use the specified credential, decrypts the targeted credential.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the API key and uses it to access resources or data accessible to the compromised credential.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect n8n Foreign Credential ID in dynamic-node-parameters\u003c/code\u003e to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-n8n-credential-bypass/","summary":"A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.","title":"n8n Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay","url":"https://feed.craftedsignal.io/briefs/2024-01-03-n8n-credential-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Heimdall (versions prior to 0.17.14)"],"_cs_severities":["high"],"_cs_tags":["heimdall","authorization-bypass","url-encoding"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native access management proxy, is susceptible to an authorization bypass vulnerability due to its case-sensitive handling of URL-encoded slashes. Specifically, versions prior to 0.17.14 fail to properly process lowercase URL-encoded forward slashes (\u003ccode\u003e%2f\u003c/code\u003e) when the \u003ccode\u003eallow_encoded_slashes\u003c/code\u003e option is disabled, which is the default configuration. This discrepancy arises because, while percent-encoding should be case-insensitive, Heimdall only recognizes the uppercase \u003ccode\u003e%2F\u003c/code\u003e. This inconsistency can be exploited if an attacker crafts requests with lowercase encoded slashes that Heimdall doesn\u0026rsquo;t normalize, while upstream services do. This can result in the application of an unintended default rule (if configured permissively), leading to unauthorized access to protected resources. The vulnerability is mitigated by ensuring secure default configurations or proper input validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance enforcing access control policies.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource, such as \u003ccode\u003e/admin/secret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the forward slash in the request path with a lowercase URL-encoded slash (\u003ccode\u003e%2f\u003c/code\u003e), resulting in a request like \u003ccode\u003e/admin%2fsecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request reaches the Heimdall instance. Due to the case-sensitive handling of URL-encoded slashes, Heimdall does not normalize the \u003ccode\u003e%2f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the request to the intended access control rule (e.g., a rule matching \u003ccode\u003e/admin/**\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall executes the default rule, which, if misconfigured to be overly permissive (allowing anonymous access), grants access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the upstream service.\u003c/li\u003e\n\u003cli\u003eThe upstream service interprets \u003ccode\u003e%2f\u003c/code\u003e as a forward slash, effectively processing the request as \u003ccode\u003e/admin/secret\u003c/code\u003e, granting the attacker unauthorized access to the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass intended access control policies, potentially leading to unauthorized access to sensitive data, modification of restricted resources, or invocation of privileged functionality. Depending on the exposed functionality and the configuration of the upstream service, this could also lead to privilege escalation. The number of victims and sectors targeted depend heavily on the deployment and configuration of Heimdall instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to address the case-sensitive handling of URL-encoded slashes.\u003c/li\u003e\n\u003cli\u003eAvoid using the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags during Heimdall configuration, as these flags weaken security posture.\u003c/li\u003e\n\u003cli\u003eConfigure the default rule in Heimdall to implement a \u0026ldquo;deny by default\u0026rdquo; policy to minimize the risk of unintended access.\u003c/li\u003e\n\u003cli\u003eImplement input validation at layers in front of Heimdall (e.g., in proxies like Traefik) to reject HTTP paths containing encoded slashes, providing an additional layer of defense.\u003c/li\u003e\n\u003cli\u003eIf using JWTs, include the ID of the rule expected to be executed and verify that value in the project\u0026rsquo;s service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-heimdall-url-encoding/","summary":"Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.","title":"Heimdall Authorization Bypass via Case-Sensitive URL-Encoded Slash Handling","url":"https://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rustfs"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","ssrf","event-interception"],"_cs_type":"advisory","_cs_vendors":["rustfs"],"content_html":"\u003cp\u003eA critical authorization bypass vulnerability exists in RustFS versions 0.0.2 and earlier, specifically within the notification target admin API endpoints (\u003ccode\u003erustfs/src/admin/handlers/event.rs\u003c/code\u003e). These endpoints lack proper admin-action authorization, failing to call \u003ccode\u003evalidate_admin_request\u003c/code\u003e. This oversight allows a non-admin user to overwrite admin-defined notification targets by name. Successful exploitation enables attackers to intercept events intended for legitimate administrators and evade audit logs. The attacker gains the ability to redirect bucket events to an attacker-controlled endpoint, potentially exfiltrating sensitive information like object keys, bucket names, user identities, and request metadata. This issue was patched in RustFS version 1.0.0-alpha.94.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a RustFS account with non-admin (readonly) privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PUT request to one of the notification target admin API endpoints (e.g., to create or update a notification target).\u003c/li\u003e\n\u003cli\u003eThe request bypasses the intended admin authorization checks due to the missing \u003ccode\u003evalidate_admin_request\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an existing, admin-defined notification target, replacing the legitimate endpoint with an attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eAn S3 bucket event (e.g., object creation) occurs, triggering the notification system.\u003c/li\u003e\n\u003cli\u003eRustFS sends an HTTP request containing event data to the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the exfiltrated event data, including object keys, bucket names, user identities, and request metadata.\u003c/li\u003e\n\u003cli\u003eThe attacker can also delete unbound targets or silently redirect events from bound targets, further evading audit detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to intercept sensitive data related to bucket events, potentially leading to data breaches and unauthorized access to resources. The vulnerability affects RustFS instances where non-admin users have access to the system, enabling them to manipulate notification targets intended for administrative purposes. The attacker can redirect events to an external endpoint, exposing potentially thousands of events containing sensitive information. The ability to overwrite existing notification targets allows for a persistent compromise until the vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade RustFS to version 1.0.0-alpha.94 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect RustFS Notification Target Manipulation\u0026rdquo; to identify attempts to modify notification targets via the admin API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (cs-uri-query, cs-method) for unusual activity related to the notification target admin API endpoints to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit non-admin user access to sensitive API endpoints and resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rustfs-admin-auth-bypass/","summary":"A vulnerability in RustFS allows a non-admin user to overwrite a shared admin-defined notification target, leading to event interception and audit evasion due to missing admin-action authorization on notification target admin API endpoints.","title":"RustFS Notification Target Admin API Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-rustfs-admin-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["phpVMS"],"_cs_severities":["critical"],"_cs_tags":["authorization-bypass","data-loss","phpvms"],"_cs_type":"advisory","_cs_vendors":["phpvms"],"content_html":"\u003cp\u003eA critical vulnerability has been identified in phpVMS 7.x, specifically affecting versions up to 7.0.5. This vulnerability stems from a deprecated legacy import feature that, despite its intended obsolescence, remained partially accessible without authentication. A remote, unauthenticated attacker could exploit this flaw to interact with internal processes responsible for data manipulation within the application. The vulnerability was addressed in phpVMS version 7.0.6, which removes public access to the vulnerable feature, highlighting the importance of prompt patching to mitigate the risk of unauthorized data modification or deletion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the \u003ccode\u003e/importer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe application fails to properly validate the request, granting access to the legacy import feature.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed import functionality to initiate a data manipulation process.\u003c/li\u003e\n\u003cli\u003eThe application executes the attacker-initiated process without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe import process modifies or deletes data within the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process to maximize data corruption or deletion.\u003c/li\u003e\n\u003cli\u003eThe application becomes unstable or unusable due to the corrupted database.\u003c/li\u003e\n\u003cli\u003eService disruption occurs, impacting all users of the phpVMS system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of this vulnerability in phpVMS can lead to significant data loss and service disruption. An attacker can remotely trigger the modification or deletion of critical application data without any authentication. This can result in a complete loss of data integrity, rendering the application unusable. The specific number of potential victims is dependent on the number of phpVMS instances running vulnerable versions (\u0026lt;= 7.0.5). Successful exploitation can lead to extended downtime and significant recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to phpVMS version 7.0.6 or later to remediate \u003cstrong\u003eCVE-2026-42569\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, follow the instructions provided in the release notes for version 7.0.6 to disable the vulnerable \u003ccode\u003e/importer\u003c/code\u003e routes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to monitor for suspicious requests to the \u003ccode\u003e/importer\u003c/code\u003e endpoint, indicative of attempted exploitation.\u003c/li\u003e\n\u003cli\u003eEnable web server access logging and review logs for unauthorized access attempts to the \u003ccode\u003e/importer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-phpvms-auth-bypass/","summary":"A critical vulnerability exists in phpVMS 7.x versions up to 7.0.5, allowing unauthenticated access to a legacy import feature, enabling a remote attacker to trigger internal processes that can modify or delete application data, potentially leading to data loss and service disruption.","title":"phpVMS Unauthenticated Access to Legacy Import Feature","url":"https://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","path-normalization","cloud"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., \u003ccode\u003e/user/../admin\u003c/code\u003e) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request with a path containing dot-segments (e.g., \u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eHeimdall performs rule matching on the raw, non-normalized path (\u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall incorrectly matches the request to a less restrictive rule, such as a rule for \u003ccode\u003e/public/**\u003c/code\u003e, due to the initial \u003ccode\u003e/public\u003c/code\u003e segment.\u003c/li\u003e\n\u003cli\u003eHeimdall authorizes the request based on the matched rule, potentially allowing anonymous access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the downstream service.\u003c/li\u003e\n\u003cli\u003eThe downstream service normalizes the request path to \u003ccode\u003e/user/resource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downstream service processes the request as \u003ccode\u003e/user/resource\u003c/code\u003e, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.\u003c/li\u003e\n\u003cli\u003eConfigure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-auth-bypass/","summary":"Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.","title":"Heimdall Authorization Bypass via Path Normalization Mismatch","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Authorization-Bypass","version":"https://jsonfeed.org/version/1.1"}