https://feed.craftedsignal.io/tags/authorization-bypass/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 17:20:20 +0000https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/Mon, 04 May 2026 17:20:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/Quarkus Vertx HTTP versions < 3.20.6.1, >= 3.21.0 and < 3.27.3.1, >= 3.30.0 and < 3.33.1.1, and >= 3.34.0 and < 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.A vulnerability exists in Quarkus Vertx HTTP versions < 3.20.6.1, >= 3.21.0 and < 3.27.3.1, >= 3.30.0 and < 3.33.1.1, and >= 3.34.0 and < 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (;) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus’s security layer checks the raw URL path, while RESTEasy Reactive’s routing layer strips matrix parameters before matching endpoints. This means a request like /api/admin;anything can bypass authorization for /api/admin while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.

Attack Chain

1. An attacker identifies a protected endpoint, such as /api/admin, that requires authentication or specific privileges.
2. The attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as /api/admin;anything.
3. The request is sent to the Quarkus Vertx HTTP server.
4. Quarkus’s security layer performs an authorization check on the raw URL path /api/admin;anything, which may not match the intended authorization rules for /api/admin.
5. RESTEasy Reactive’s routing layer strips the matrix parameters (;anything) from the URL, resulting in the endpoint /api/admin being matched.
6. The request is routed to the protected endpoint /api/admin, bypassing the intended authorization checks.
7. The attacker gains unauthorized access to the protected resource or functionality.
8. The attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.

Impact

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.

Recommendation

• Upgrade Quarkus Vertx HTTP to a patched version (>= 3.20.6.1, >= 3.27.3.1, >= 3.33.1.1, >= 3.35.1.1) to remediate CVE-2026-39852.
• Deploy the Sigma rule Detect Quarkus Authorization Bypass Attempt to identify potential exploitation attempts in web server logs.
• Monitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the Monitor Semicolons in URL Path Sigma rule.

]]>highadvisoryauthentication-bypassauthorization-bypassweb-applicationhttps://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/Wed, 22 Apr 2026 09:16:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.The Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin’s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.

Attack Chain

1. An attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.
2. The attacker crafts a POST request to wp-admin/admin-post.php with the action parameter set to add_table or delete_db_table.
3. The attacker provides the db_table parameter with the name of the table to be deleted, if exploiting the delete_db_table action.
4. The server processes the request without proper authorization checks, because current_user_can() and wp_verify_nonce() are missing.
5. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on the user-supplied db_table parameter.
6. If the attacker targets a critical WordPress core table like wp_users or wp_options, the site’s functionality will be severely impacted.
7. Alternatively, if exploiting the add_table action, the cdbt_create_new_table() function executes a CREATE TABLE SQL query, creating an arbitrary database table.
8. Successful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.

Impact

Successful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the wp_users table, effectively locking out all administrators and other users, or delete the wp_options table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.

Recommendation

• Immediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.
• Monitor web server logs for POST requests to wp-admin/admin-post.php with action=delete_db_table or action=add_table (see rule: “Detect Unauthorized DB Table Modification”).
• Implement a Web Application Firewall (WAF) rule to block requests to wp-admin/admin-post.php with the vulnerable actions unless originating from an administrator (see rule: “WAF - Block Unauthorized DB Table Modification”).

]]>criticaladvisorywordpressauthorization-bypassplugin-vulnerabilitycve-2026-4119https://feed.craftedsignal.io/briefs/2024-02-paperclip-gmail-access/Thu, 16 Apr 2026 22:47:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-paperclip-gmail-access/A Paperclip-managed `codex_local` runtime can access and utilize Gmail connectors connected in the ChatGPT/OpenAI apps UI without explicit Paperclip configuration, allowing unauthorized mailbox access and email sending capabilities due to a trust-boundary failure and dangerous default runtime settings.A critical vulnerability exists within the Paperclip AI ecosystem, specifically affecting the codex_local runtime environment. The core issue stems from a trust-boundary failure, where a Paperclip-managed codex_local runtime gains unauthorized access to Gmail connectors that were previously configured within the broader ChatGPT/OpenAI apps UI. This unintended inheritance of connector permissions allows the codex_local environment to perform actions, such as reading emails and sending messages, without explicit authorization within Paperclip itself. This is further complicated by the codex_local runtime’s default setting of dangerouslyBypassApprovalsAndSandbox to true, which effectively disables security controls and amplifies the risk associated with the connector access. This issue was identified in Paperclip versions up to and including 2026.403.0. Successful exploitation bypasses intended permission boundaries and poses a significant risk to user data and privacy.

Attack Chain

1. User connects their Gmail account within the ChatGPT/OpenAI apps UI for use with other OpenAI services.
2. A self-hosted Paperclip instance is deployed, utilizing the codex_local runtime.
3. A codex_local agent is created and initiated, operating under default settings, which include dangerouslyBypassApprovalsAndSandbox = true.
4. The codex_local runtime accesses cached OpenAI curated connector state for Gmail found within the codex-home/plugins/cache/openai-curated/gmail/.../.app.json path.
5. The agent executes a task designed to inspect mailbox contents, leveraging the inherited Gmail connector.
6. The agent makes successful mcp__codex_apps__gmail_get_profile, mcp__codex_apps__gmail_search_emails, and mcp__codex_apps__gmail_send_email calls.
7. An email is sent from the user’s Gmail account to an unintended recipient without explicit user authorization or Paperclip configuration.
8. Subsequent “retraction” emails are sent, further demonstrating the persistent and unauthorized write access to the Gmail account.

Impact

The unauthorized access to Gmail connectors through Paperclip’s codex_local runtime has severe consequences. It enables attackers to perform actions, such as disclosing mailbox identity, accessing email threads, and sending emails to external third parties without explicit user consent. In a real-world scenario, this resulted in the sending of an email from a user’s personal Gmail account to an unintended external recipient, and follow-up retraction messages, highlighting the potential for significant reputational damage and data breaches. The inherent trust boundary failure and unsafe default settings significantly amplify the risk, making it critical to address these vulnerabilities.

Recommendation

• Disable or restrict the default inheritance of OpenAI app connectors within Paperclip-managed codex_local runs to prevent unintended access to services like Gmail.
• Implement a default-deny policy for send/write connectors, requiring explicit Paperclip-side opt-in before any outward actions are permitted.
• Modify the codex_local runtime defaults to ensure safer configurations, including setting dangerouslyBypassApprovalsAndSandbox = false.
• Implement the Sigma rules provided to detect unauthorized Gmail API calls originating from the Paperclip environment.

]]>highadvisorypaperclipaigmailopenaiauthorization bypasshttps://feed.craftedsignal.io/briefs/2026-04-trek-auth-bypass/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-trek-auth-bypass/TREK collaborative travel planner before version 2.7.2 is vulnerable to missing authorization checks on the Immich trip photo management routes, potentially allowing unauthorized access to trip photos.TREK is a collaborative travel planning application. Prior to version 2.7.2, a critical vulnerability existed within the application related to authorization checks. Specifically, the Immich trip photo management routes lacked proper authorization checks. This flaw, identified as CVE-2026-40185, could potentially allow unauthorized users to access and manipulate trip photos if exploited. The vulnerability was reported by GitHub, Inc. and patched in version 2.7.2 of TREK. Defenders should ensure they are running version 2.7.2 or later of the TREK application to mitigate this risk. This vulnerability affects systems running the vulnerable versions of the TREK application and could impact the confidentiality and integrity of user data.

Attack Chain

1. An attacker identifies a vulnerable TREK instance running a version prior to 2.7.2.
2. The attacker crafts a malicious HTTP request targeting the Immich trip photo management routes.
3. Due to the missing authorization checks, the attacker bypasses authentication requirements.
4. The attacker gains unauthorized access to trip photos.
5. The attacker may modify or delete trip photos, impacting data integrity.
6. The attacker could potentially use the exposed data to gather sensitive information about the trip and its participants.
7. The attacker could potentially upload malicious images to the photo storage.

Impact

Successful exploitation of CVE-2026-40185 can lead to unauthorized access and modification of trip photos within the TREK travel planner application. While the exact number of affected users is unknown, any TREK instance running a version prior to 2.7.2 is susceptible. This could result in a breach of confidentiality, potential data manipulation, and reputational damage for the application. Sectors that rely on collaborative travel planning may be particularly affected.

Recommendation

• Upgrade all TREK instances to version 2.7.2 or later to remediate CVE-2026-40185.
• Deploy the Sigma rule Detect Suspicious TREK Photo Route Access to detect potential exploitation attempts targeting the vulnerable photo management routes.
• Monitor web server logs for unusual activity related to the Immich trip photo management routes.
• Monitor network traffic for unusual patterns or connections to the TREK server that might indicate exploitation attempts.

]]>mediumadvisorycve-2026-40185authorization-bypassweb-applicationhttps://feed.craftedsignal.io/briefs/2024-01-03-chartbrew-auth-bypass/Fri, 10 Apr 2026 20:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-chartbrew-auth-bypass/Chartbrew versions prior to 4.9.0 are vulnerable to a cross-tenant authorization bypass, allowing an authenticated attacker to access project data belonging to other teams.Chartbrew, an open-source web application used for creating charts from databases and APIs, is vulnerable to a cross-tenant authorization bypass (CVE-2026-32252) in versions prior to 4.9.0. This vulnerability resides in the GET /team/:team_id/template/generate/:project_id endpoint. Specifically, the checkAccess function doesn’t await its promise and fails to validate if the project_id belongs to the specified team_id or the attacker’s team. This allows an authenticated attacker with template generation permissions in their own team to request and receive template model data for projects belonging to other teams. Upgrading to version 4.9.0 or later resolves this issue.

Attack Chain

1. Attacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.
2. Attacker identifies a valid team_id belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.
3. Attacker identifies a valid project_id belonging to the victim team. This may require some level of prior knowledge or reconnaissance.
4. Attacker crafts a GET request to /team/:victim_team_id/template/generate/:victim_project_id, replacing :victim_team_id and :victim_project_id with the identified values.
5. The Chartbrew server receives the request and calls the checkAccess function, but does not await the promise.
6. Due to the missing validation of the project_id against the team_id and the caller’s team, the authorization check is bypassed.
7. The server retrieves the template model data associated with the victim’s project.
8. The server returns the victim’s project data to the attacker.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim’s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.

Recommendation

• Upgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.
• Implement the Sigma rule Detect Chartbrew Template Generation Request to identify potential exploitation attempts in web server logs.
• Monitor web server logs for unusual requests to the /team/*/template/generate/* endpoint using a WAF or similar tool.

]]>highadvisorychartbrewauthorization-bypassweb-applicationhttps://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/Fri, 10 Apr 2026 20:02:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.The Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by .goshs files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the .goshs file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.

Attack Chain

1. The attacker identifies a Goshs instance utilizing .goshs files for access control.
2. The attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:18-60. Example: PUT /protected/put-created.txt
3. Alternatively, the attacker sends an unauthenticated multipart POST request to /upload endpoint to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:63-165. Example: POST /protected/upload
4. The attacker sends an unauthenticated request with the ?mkdir parameter to create a directory within the protected directory, bypassing ACL checks via httpserver/handler.go:901-937. Example: /?mkdir=new_directory
5. The attacker sends an unauthenticated request with the ?delete parameter targeting the .goshs file within the protected directory, leveraging the vulnerable route in httpserver/handler.go:679-698. Example: /.goshs?delete
6. The server deletes the .goshs file using os.RemoveAll(), effectively removing the access control restrictions for the directory.
7. The attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the .goshs file.
8. The attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the .goshs file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.

Recommendation

• Apply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.
• Deploy the Sigma rule “Detect Goshs Unauthenticated .goshs Deletion” to your SIEM to detect attempts to remove .goshs ACL files via the ?delete parameter.
• Deploy the Sigma rule “Detect Goshs Unauthenticated PUT Request to Protected Directories” to detect unauthorized file uploads to protected directories.
• Monitor web server logs for PUT, POST, and DELETE requests targeting directories containing .goshs files to identify potential exploitation attempts. (Log Source: webserver)

]]>criticaladvisoryauthorization bypassaclfile uploadfile deletionCVE-2026-40189https://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/Thu, 09 Apr 2026 05:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-decolua-auth-bypass/CVE-2026-5842 is an authorization bypass vulnerability in decolua 9router versions up to 0.3.47, allowing remote attackers to gain unauthorized access via manipulation of the /api endpoint.A critical security vulnerability, CVE-2026-5842, affects decolua 9router versions up to 0.3.47. The vulnerability resides within an unknown function of the /api endpoint, specifically the Administrative API. Successful exploitation of this flaw allows a remote attacker to bypass authorization controls, potentially gaining administrative privileges. A public exploit for this vulnerability has been disclosed, increasing the risk of exploitation. Organizations using vulnerable versions of decolua 9router should upgrade to version 0.3.75 as soon as possible to mitigate the risk. This vulnerability was published on April 9, 2026 and poses a significant threat due to the availability of a public exploit.

Attack Chain

1. Attacker identifies a vulnerable decolua 9router instance running a version prior to 0.3.75.
2. The attacker sends a crafted HTTP request to the /api endpoint.
3. The crafted request exploits the authorization bypass vulnerability in the targeted function.
4. The vulnerable application fails to properly validate the attacker’s authorization, granting them access.
5. The attacker gains unauthorized access to administrative functionalities.
6. The attacker leverages the unauthorized access to modify router configurations.
7. The attacker can then potentially perform actions like changing DNS settings, creating rogue user accounts, or disrupting network services.

Impact

Successful exploitation of CVE-2026-5842 allows attackers to bypass authorization and gain unauthorized administrative access to the decolua 9router. This can lead to complete compromise of the router, allowing attackers to eavesdrop on network traffic, redirect traffic to malicious sites, or disrupt network services. Given the availability of a public exploit, vulnerable routers are at high risk of compromise. This vulnerability can have severe consequences for both home and business networks relying on decolua 9router.

Recommendation

• Upgrade all decolua 9router instances to version 0.3.75 or later to remediate CVE-2026-5842.
• Monitor web server logs for suspicious activity targeting the /api endpoint using the Sigma rule provided below.
• Implement firewall rules to restrict access to the administrative interface of the router.
• Review and audit existing router configurations for any unauthorized changes after applying the provided Sigma rule to detect any potential intrusions.

]]>highadvisorycveauthorization-bypassrouterhttps://feed.craftedsignal.io/briefs/2026-04-filebrowser-share-bypass/Wed, 08 Apr 2026 00:04:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-filebrowser-share-bypass/File Browser share links remain accessible after Share/Download permissions are revoked, allowing continued access to shared files even after an administrator revokes the user's permissions.File Browser versions prior to 2.63.1 contain an authorization bypass vulnerability. Specifically, when an administrator revokes a user’s share and download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The vulnerability exists because the public share download handler (http/public.go) does not re-check the share owner’s current permissions when serving shared files. This can lead to unauthorized data access and a false sense of security for administrators who believe that revoking permissions immediately terminates access to shared resources. The issue was verified against version 2.62.2 (commit 860c19d).

Attack Chain

1. An administrator creates a user account with Share and Download permissions.
2. The user logs in and creates a share link for a file (e.g., secret.txt). The system generates a hash (e.g., fB4Qwtsn) associated with the share.
3. An unauthenticated user accesses the file via the share link (e.g., /api/public/dl/fB4Qwtsn), successfully downloading the content.
4. The administrator revokes the user’s Share and Download permissions via the API, modifying the user’s record in the system.
5. The revoked user attempts to create a new share link and is correctly denied access (403 Forbidden).
6. An unauthenticated user attempts to access the file using the previously created share link (e.g., /api/public/dl/fB4Qwtsn).
7. The system retrieves the share link information but fails to validate if the original user still possesses Share and Download permissions.
8. The system serves the file, bypassing the intended authorization restrictions and granting unauthorized access.

Impact

The vulnerability allows unauthorized access to files shared through File Browser, even after an administrator has revoked the share creator’s permissions. This can result in data breaches, as users who should no longer have access to shared resources can still retrieve them via existing share links. The administrator may believe that revoking permissions immediately stops all sharing, leading to a false sense of security. This is particularly impactful in environments where sensitive data is shared via File Browser and access control is critical.

Recommendation

• Upgrade File Browser to version 2.63.1 or later to patch CVE-2026-35604.
• Monitor web server logs for access to /api/public/dl/* endpoints (logsource: webserver, product: linux/windows) after revoking user permissions; correlate with user permission changes.
• Implement the suggested fix by adding permission re-validation in withHashFile as described in the advisory.

]]>highadvisoryfilebrowserauthorization-bypassgithub-advisorycve-2026-35604https://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/Tue, 07 Apr 2026 18:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/An authenticated API user of ChurchCRM prior to v7.1.0 can bypass authorization checks and modify arbitrary family records by manipulating the familyId parameter in API requests, leading to privilege escalation and potential data manipulation.ChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the {familyId} parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.

Attack Chain

1. An attacker authenticates to the ChurchCRM API with valid user credentials.
2. The attacker identifies a target familyId that they do not have explicit modification rights for.
3. The attacker crafts a malicious API request to one of the vulnerable endpoints: /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, or /family/{familyId}/geocode.
4. The attacker replaces the {familyId} parameter in the request URL with the target familyId.
5. For example, the attacker sends a POST request to /family/123/activate/false to deactivate family with ID 123.
6. Due to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary EditRecords privilege.
7. The target family’s state is modified (e.g., deactivated, marked as verified).
8. The attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.

Impact

Successful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.

Recommendation

• Immediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.
• Monitor web server logs for suspicious requests to the vulnerable API endpoints (/family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, /family/{familyId}/geocode) as detected by the Sigma rule “ChurchCRM Family ID Manipulation”.
• Implement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.
• Review and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.

]]>highadvisorycve-2026-39331churchcrmauthorization-bypassprivilege-escalationweb-applicationhttps://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/Tue, 07 Apr 2026 17:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-02-29-windmill-auth-bypass/Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability (CVE-2026-22683) that allows users with the Operator role to bypass intended restrictions and perform unauthorized entity creation and modification actions via the backend API, potentially leading to privilege escalation and remote code execution.Windmill, a low-code internal tool platform, contains a critical missing authorization vulnerability, tracked as CVE-2026-22683, affecting versions 1.56.0 through 1.614.0. The vulnerability stems from a failure to properly enforce role-based access controls within the backend API. Specifically, users assigned the “Operator” role, who are intended to have limited privileges and be restricted from creating or modifying entities, can bypass these restrictions. This allows Operators to create and modify scripts, flows, apps, and raw_apps, effectively exceeding their intended permissions. Given that Operators can also execute scripts through the jobs API, this authorization bypass facilitates a direct path to privilege escalation and potentially remote code execution within the Windmill environment. Defenders should prioritize patching and detection efforts to mitigate this risk.

Attack Chain

1. An attacker compromises or is assigned an “Operator” role within the Windmill platform.
2. The attacker authenticates to the Windmill backend API using their Operator credentials.
3. The attacker crafts a malicious API request to create a new script, flow, app, or raw_app, bypassing the intended authorization checks for Operator roles.
4. The Windmill API processes the request without properly validating the Operator’s permissions, allowing the entity creation to proceed.
5. The attacker creates a script containing malicious code designed to escalate privileges or execute arbitrary commands.
6. The attacker utilizes the jobs API to execute the newly created malicious script.
7. The script executes with elevated privileges within the Windmill deployment environment.
8. The attacker achieves remote code execution, potentially compromising the entire Windmill instance and connected resources.

Impact

A successful exploitation of CVE-2026-22683 can lead to complete compromise of the Windmill instance. An attacker leveraging an Operator account can gain remote code execution capabilities. The missing authorization can lead to full control over the Windmill instance, potentially affecting all applications, flows, and scripts managed within the platform. Given the nature of Windmill as an internal tool platform, this could expose sensitive internal data and systems to unauthorized access. The number of affected organizations depends on the adoption rate of Windmill within the affected version range.

Recommendation

• Immediately upgrade Windmill instances to a patched version beyond 1.614.0 to remediate CVE-2026-22683.
• Implement the Sigma rule Detect Windmill Unauthorized Entity Creation to detect attempts to create scripts, flows, apps, or raw_apps from Operator accounts via the API.
• Implement the Sigma rule Detect Windmill Job Execution of Newly Created Entities to detect the execution of scripts, flows, apps or raw_apps that were recently created.
• Monitor Windmill API logs for suspicious activity related to entity creation and modification, focusing on requests originating from Operator accounts.

]]>criticaladvisorywindmillauthorization-bypassprivilege-escalationremote-code-executionhttps://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/Fri, 03 Apr 2026 03:57:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/Ajenti versions before 2.2.15 contain an authorization bypass vulnerability that allows authenticated non-superuser users to install custom packages, potentially leading to privilege escalation and system compromise.Ajenti is a web-based system administration panel. Prior to version 2.2.15, a flaw exists in the auth_users authentication plugin that permits authenticated users lacking superuser privileges to install custom packages. This vulnerability, identified as CVE-2026-35175, allows a low-privileged user to bypass intended authorization checks, potentially escalating their privileges and compromising the entire system. An attacker could leverage this vulnerability to install malicious packages, execute arbitrary code with elevated privileges, and gain unauthorized access to sensitive data or system functionalities. Organizations using vulnerable versions of Ajenti are at risk of internal privilege escalation attacks.

Attack Chain

1. An attacker gains initial access to the Ajenti web panel with a valid, non-superuser account using the auth_users plugin.
2. The attacker navigates to the custom package installation feature within the Ajenti web interface.
3. The attacker uploads a malicious custom package designed to execute arbitrary commands or install backdoors.
4. Ajenti fails to properly validate the user’s privileges before initiating the package installation process.
5. The malicious package is installed with the privileges of the Ajenti process, which may include elevated permissions.
6. The malicious package executes its payload, potentially installing a reverse shell, creating new administrative accounts, or modifying critical system files.
7. The attacker leverages the installed backdoor or elevated privileges to gain persistent access to the system.

Impact

Successful exploitation of this vulnerability allows an authenticated, non-superuser user to execute arbitrary code with elevated privileges. This can lead to full system compromise, data theft, and disruption of services. While the precise number of affected installations is unknown, any organization running Ajenti versions prior to 2.2.15 with the auth_users authentication plugin enabled is vulnerable. The impact includes potential data breaches, system downtime, and reputational damage.

Recommendation

• Immediately upgrade Ajenti to version 2.2.15 or later to patch CVE-2026-35175 (see References).
• Implement the Sigma rule Detect Suspicious Ajenti Package Installation to detect unauthorized package installations.
• Review Ajenti access logs for unusual activity or attempts to access restricted functionalities.

]]>highadvisoryajentiauthorization-bypassprivilege-escalationCVE-2026-35175https://feed.craftedsignal.io/briefs/2026-03-scitokens-auth-bypass/Tue, 31 Mar 2026 18:16:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-scitokens-auth-bypass/SciTokens C++ library before 1.4.1 is vulnerable to an authorization bypass (CVE-2026-32725) due to improper path normalization, allowing attackers to escalate privileges by using parent-directory traversal in scope claims.The SciTokens C++ library, a minimal library for creating and using SciTokens, contains an authorization bypass vulnerability (CVE-2026-32725) in versions prior to 1.4.1. This flaw stems from the library’s handling of path-based scopes within tokens. Specifically, the library normalizes the scope path from the token before authorization but improperly collapses “..” path components instead of rejecting them. This can lead to a significant security risk, allowing attackers to manipulate scope claims and gain unauthorized access. The vulnerability was reported on March 31, 2026 and patched in version 1.4.1. Organizations using affected versions of scitokens-cpp are at risk of privilege escalation.

Attack Chain

1. An attacker crafts a SciToken with a malicious scope claim containing “..” sequences.
2. The SciToken is presented to a service using scitokens-cpp for authorization.
3. The scitokens-cpp library normalizes the scope path.
4. Instead of rejecting the “..” sequence, the library collapses it, effectively traversing to parent directories.
5. The authorization check is performed against the manipulated scope.
6. Due to the altered scope, the attacker gains access to resources outside the intended directory.
7. The attacker leverages this elevated access to perform unauthorized actions.
8. Successful exploitation leads to privilege escalation.

Impact

Successful exploitation of CVE-2026-32725 allows attackers to bypass intended authorization controls within applications using the SciTokens C++ library. By crafting tokens with manipulated scope claims, attackers can gain unauthorized access to sensitive resources and escalate their privileges. This could lead to data breaches, system compromise, and other severe consequences. Organizations relying on scitokens-cpp for access control are vulnerable until they update to version 1.4.1.

Recommendation

• Upgrade the scitokens-cpp library to version 1.4.1 or later to patch CVE-2026-32725.
• Deploy the Sigma rule Detect Suspicious SciTokens Scope to identify potentially malicious tokens being used in your environment.
• Implement strict input validation on any components that process SciToken claims to prevent path traversal attempts.

]]>highadvisoryauthorization-bypassprivilege-escalationcvehttps://feed.craftedsignal.io/briefs/2026-04-scitokens-auth-bypass/Tue, 31 Mar 2026 03:17:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-scitokens-auth-bypass/SciTokens versions prior to 1.9.6 incorrectly validate scope paths using a prefix match, leading to an authorization bypass vulnerability where a token with access to a specific path can access sibling paths with the same prefix.<p>SciTokens is a reference library for generating and using SciTokens. Versions prior to 1.9.6 are vulnerable to an authorization bypass. The vulnerability, identified as CVE-2026-32716, stems from incorrect validation of scope paths within the Enforcer component. Instead of performing an exact match, the Enforcer uses a simple prefix match (startswith). This flaw allows a token authorized for a specific path (e.g., <code>/john</code>) to also gain unauthorized access to sibling paths sharing the same…</p> highadvisoryauthorization-bypassscitokensCVE-2026-32716https://feed.craftedsignal.io/briefs/2026-03-moby-authz-bypass/Tue, 31 Mar 2026 03:15:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-moby-authz-bypass/A security vulnerability in Moby (prior to v29.3.1) allows attackers to bypass authorization plugins, potentially leading to unauthorized container access and privilege escalation.<p>Moby is an open-source container framework widely used in containerization deployments. A critical security vulnerability, identified as CVE-2026-34040, affects Moby versions prior to 29.3.1. This flaw enables attackers to bypass configured authorization plugins (AuthZ), potentially granting them unauthorized access to container resources and functionalities. Successful exploitation could lead to privilege escalation within the container environment, allowing attackers to execute arbitrary…</p> highadvisorycontainerizationauthorization bypassprivilege escalationcve-2026-34040https://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/Sun, 29 Mar 2026 15:37:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-traefik-grpc-bypass/A remote, unauthenticated attacker can bypass Traefik deny rules by sending malformed gRPC requests with a missing leading slash in the `:path` pseudo-header, exploiting a vulnerability in the gRPC-Go dependency, leading to unauthorized access if a fallback "allow" rule is configured.Traefik, a popular reverse proxy and load balancer, is susceptible to a denial rule bypass (CVE-2026-33186) due to a flaw in its gRPC-Go dependency. This vulnerability affects Traefik versions prior to 2.11.42, versions 3.0.0-beta3 through 3.6.11, and versions 3.7.0-ea.1 through 3.7.0-ea.3. An unauthenticated attacker can exploit this by sending gRPC requests with a malformed HTTP/2 :path pseudo-header that omits the leading slash (e.g., Service/Method instead of /Service/Method). While…

]]>highadvisorytraefikgrpcauthorization-bypasscve-2026-33186https://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.OpenEMR, a widely used open-source electronic health records and medical practice management application, is vulnerable to a significant authorization bypass. Specifically, versions prior to 8.0.0.3 lack proper authorization checks in the interface/forms/procedure_order/handle_deletions.php AJAX endpoint. This flaw enables any authenticated user, regardless of their assigned role or privileges, to delete procedure orders, patient answers, and specimen records associated with any patient within the OpenEMR system. This vulnerability poses a serious threat to data integrity and confidentiality. The vendor patched this vulnerability in version 8.0.0.3. Defenders should prioritize identifying and patching vulnerable systems.

Attack Chain

1. An attacker gains valid credentials to an OpenEMR instance, potentially through phishing, credential stuffing, or other means.
2. The attacker logs into the OpenEMR web application with their valid, but potentially low-privilege, account.
3. The attacker crafts a malicious AJAX request targeting the vulnerable endpoint: interface/forms/procedure_order/handle_deletions.php.
4. The crafted request specifies the IDs of procedure orders, answers, or specimens that the attacker wishes to delete, regardless of the associated patient.
5. Due to the missing authorization check, the OpenEMR application processes the deletion request without verifying the attacker’s permissions.
6. The specified patient data (procedure orders, answers, or specimens) is permanently deleted from the OpenEMR database.
7. The attacker can repeat this process to delete additional patient data, potentially causing significant disruption or data loss.

Impact

The missing authorization vulnerability in OpenEMR allows any authenticated user to delete sensitive patient data, including procedure orders, answers to medical questionnaires, and specimen records. Successful exploitation could lead to data loss, compliance violations (e.g., HIPAA), and disruption of medical practice operations. The precise number of potentially affected OpenEMR instances is unknown, but given the widespread use of OpenEMR in medical practices, the impact could be substantial.

Recommendation

• Upgrade all OpenEMR installations to version 8.0.0.3 or later to remediate CVE-2026-34053.
• Implement network monitoring for requests to interface/forms/procedure_order/handle_deletions.php and investigate any unusual activity.
• Deploy the Sigma rule to detect potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.

]]>highadvisoryopenemrauthorization-bypassdata-deletionhttps://feed.craftedsignal.io/briefs/2026-03-connect-cms-auth-bypass/Tue, 24 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-connect-cms-auth-bypass/Connect-CMS versions 1.x up to 1.41.0 and 2.x up to 2.41.0 are vulnerable to improper authorization in the page content retrieval feature, potentially allowing retrieval of non-public information, addressed in versions 1.41.1 and 2.41.1.<p>Connect-CMS, a content management system, is susceptible to an improper authorization vulnerability (CVE-2026-32299) in versions 1.x up to 1.41.0 and 2.x up to 2.41.0. This flaw allows unauthenticated attackers to potentially retrieve non-public information through the page content retrieval feature. The vulnerability stems from a lack of proper access control checks during content retrieval. Patches are available in versions 1.41.1 and 2.41.1, released by the vendor to address this critical…</p> highadvisorycve-2026-32299connect-cmsauthorization-bypasshttps://feed.craftedsignal.io/briefs/2024-01-03-n8n-credential-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-n8n-credential-bypass/A credential authorization bypass vulnerability in n8n versions before 2.18.0 allows an authenticated user with access to a shared workflow to supply a foreign credential ID, causing the backend to decrypt and use that credential against attacker-controlled infrastructure, leading to API key exfiltration.A credential authorization bypass vulnerability, identified as CVE-2026-42226, affects n8n versions prior to 2.18.0, specifically in the dynamic-node-parameters endpoints. This flaw allows an authenticated user who has access to a shared workflow to exploit the system by supplying a credential ID belonging to another user in the request body. Due to insufficient validation, the n8n backend decrypts and utilizes the specified credential during a helper execution path where the caller controls the destination URL. This enables the malicious user to force the n8n instance to authenticate against attacker-controlled infrastructure using another user’s credentials, effectively exfiltrating a reusable API key. The vulnerability impacts any node that dynamically resolves credentials through the affected endpoints. The issue was patched in n8n version 2.18.0.

Attack Chain

1. An attacker gains authenticated access to an n8n instance.
2. The attacker obtains access to a shared workflow.
3. The attacker identifies a credential ID belonging to another user within the n8n instance.
4. The attacker crafts a request to a vulnerable dynamic-node-parameters endpoint, injecting the foreign credential ID into the request body.
5. The n8n backend, failing to validate the attacker’s authorization to use the specified credential, decrypts the targeted credential.
6. The attacker controls the destination URL in the request, pointing it to attacker-controlled infrastructure.
7. The n8n backend authenticates against the attacker-controlled infrastructure using the decrypted credential, sending the API key to the attacker.
8. The attacker captures the API key and uses it to access resources or data accessible to the compromised credential.

Impact

Successful exploitation of this vulnerability (CVE-2026-42226) allows an attacker to exfiltrate API keys belonging to other n8n users. This can lead to unauthorized access to external services and data, depending on the permissions granted to the compromised credentials. The impact is significant, potentially affecting all n8n instances running vulnerable versions (prior to 2.18.0). The severity is rated as high due to the ease of exploitation and the potential for significant data breaches.

Recommendation

• Upgrade n8n to version 2.18.0 or later to patch the vulnerability (CVE-2026-42226).
• Deploy the Sigma rule Detect n8n Foreign Credential ID in dynamic-node-parameters to identify attempts to exploit this vulnerability.
• Implement stricter access controls and limit workflow sharing to trusted users as a short-term mitigation, as suggested in the overview.

]]>highadvisorycredential-accessauthorization-bypassn8nhttps://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.Heimdall, a cloud-native access management proxy, is susceptible to an authorization bypass vulnerability due to its case-sensitive handling of URL-encoded slashes. Specifically, versions prior to 0.17.14 fail to properly process lowercase URL-encoded forward slashes (%2f) when the allow_encoded_slashes option is disabled, which is the default configuration. This discrepancy arises because, while percent-encoding should be case-insensitive, Heimdall only recognizes the uppercase %2F. This inconsistency can be exploited if an attacker crafts requests with lowercase encoded slashes that Heimdall doesn’t normalize, while upstream services do. This can result in the application of an unintended default rule (if configured permissively), leading to unauthorized access to protected resources. The vulnerability is mitigated by ensuring secure default configurations or proper input validation.

Attack Chain

1. The attacker identifies a Heimdall instance enforcing access control policies.
2. The attacker crafts a malicious HTTP request targeting a protected resource, such as /admin/secret.
3. The attacker replaces the forward slash in the request path with a lowercase URL-encoded slash (%2f), resulting in a request like /admin%2fsecret.
4. The request reaches the Heimdall instance. Due to the case-sensitive handling of URL-encoded slashes, Heimdall does not normalize the %2f.
5. Heimdall fails to match the request to the intended access control rule (e.g., a rule matching /admin/**).
6. Heimdall executes the default rule, which, if misconfigured to be overly permissive (allowing anonymous access), grants access.
7. The request is forwarded to the upstream service.
8. The upstream service interprets %2f as a forward slash, effectively processing the request as /admin/secret, granting the attacker unauthorized access to the protected resource.

Impact

Successful exploitation of this vulnerability allows an attacker to bypass intended access control policies, potentially leading to unauthorized access to sensitive data, modification of restricted resources, or invocation of privileged functionality. Depending on the exposed functionality and the configuration of the upstream service, this could also lead to privilege escalation. The number of victims and sectors targeted depend heavily on the deployment and configuration of Heimdall instances.

Recommendation

• Upgrade to Heimdall version 0.17.14 or later to address the case-sensitive handling of URL-encoded slashes.
• Avoid using the --insecure or --insecure-skip-secure-default-rule-enforcement flags during Heimdall configuration, as these flags weaken security posture.
• Configure the default rule in Heimdall to implement a “deny by default” policy to minimize the risk of unintended access.
• Implement input validation at layers in front of Heimdall (e.g., in proxies like Traefik) to reject HTTP paths containing encoded slashes, providing an additional layer of defense.
• If using JWTs, include the ID of the rule expected to be executed and verify that value in the project’s service.

]]>highadvisoryheimdallauthorization-bypassurl-encodinghttps://feed.craftedsignal.io/briefs/2024-01-rustfs-admin-auth-bypass/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rustfs-admin-auth-bypass/A vulnerability in RustFS allows a non-admin user to overwrite a shared admin-defined notification target, leading to event interception and audit evasion due to missing admin-action authorization on notification target admin API endpoints.A critical authorization bypass vulnerability exists in RustFS versions 0.0.2 and earlier, specifically within the notification target admin API endpoints (rustfs/src/admin/handlers/event.rs). These endpoints lack proper admin-action authorization, failing to call validate_admin_request. This oversight allows a non-admin user to overwrite admin-defined notification targets by name. Successful exploitation enables attackers to intercept events intended for legitimate administrators and evade audit logs. The attacker gains the ability to redirect bucket events to an attacker-controlled endpoint, potentially exfiltrating sensitive information like object keys, bucket names, user identities, and request metadata. This issue was patched in RustFS version 1.0.0-alpha.94.

Attack Chain

1. An attacker gains access to a RustFS account with non-admin (readonly) privileges.
2. The attacker crafts a PUT request to one of the notification target admin API endpoints (e.g., to create or update a notification target).
3. The request bypasses the intended admin authorization checks due to the missing validate_admin_request call.
4. The attacker overwrites an existing, admin-defined notification target, replacing the legitimate endpoint with an attacker-controlled URL.
5. An S3 bucket event (e.g., object creation) occurs, triggering the notification system.
6. RustFS sends an HTTP request containing event data to the attacker-controlled URL.
7. The attacker captures the exfiltrated event data, including object keys, bucket names, user identities, and request metadata.
8. The attacker can also delete unbound targets or silently redirect events from bound targets, further evading audit detection.

Impact

Successful exploitation of this vulnerability allows attackers to intercept sensitive data related to bucket events, potentially leading to data breaches and unauthorized access to resources. The vulnerability affects RustFS instances where non-admin users have access to the system, enabling them to manipulate notification targets intended for administrative purposes. The attacker can redirect events to an external endpoint, exposing potentially thousands of events containing sensitive information. The ability to overwrite existing notification targets allows for a persistent compromise until the vulnerability is patched.

Recommendation

• Upgrade RustFS to version 1.0.0-alpha.94 or later to patch the vulnerability.
• Deploy the Sigma rule “Detect RustFS Notification Target Manipulation” to identify attempts to modify notification targets via the admin API.
• Monitor web server logs (cs-uri-query, cs-method) for unusual activity related to the notification target admin API endpoints to detect potential exploitation attempts.
• Implement strict access control policies to limit non-admin user access to sensitive API endpoints and resources.

]]>highadvisoryauthorization-bypassssrfevent-interceptionhttps://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-phpvms-auth-bypass/A critical vulnerability exists in phpVMS 7.x versions up to 7.0.5, allowing unauthenticated access to a legacy import feature, enabling a remote attacker to trigger internal processes that can modify or delete application data, potentially leading to data loss and service disruption.A critical vulnerability has been identified in phpVMS 7.x, specifically affecting versions up to 7.0.5. This vulnerability stems from a deprecated legacy import feature that, despite its intended obsolescence, remained partially accessible without authentication. A remote, unauthenticated attacker could exploit this flaw to interact with internal processes responsible for data manipulation within the application. The vulnerability was addressed in phpVMS version 7.0.6, which removes public access to the vulnerable feature, highlighting the importance of prompt patching to mitigate the risk of unauthorized data modification or deletion.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP request to the /importer endpoint.
2. The application fails to properly validate the request, granting access to the legacy import feature.
3. The attacker leverages the exposed import functionality to initiate a data manipulation process.
4. The application executes the attacker-initiated process without proper authorization checks.
5. The import process modifies or deletes data within the application’s database.
6. The attacker repeats the process to maximize data corruption or deletion.
7. The application becomes unstable or unusable due to the corrupted database.
8. Service disruption occurs, impacting all users of the phpVMS system.

Impact

The exploitation of this vulnerability in phpVMS can lead to significant data loss and service disruption. An attacker can remotely trigger the modification or deletion of critical application data without any authentication. This can result in a complete loss of data integrity, rendering the application unusable. The specific number of potential victims is dependent on the number of phpVMS instances running vulnerable versions (<= 7.0.5). Successful exploitation can lead to extended downtime and significant recovery efforts.

Recommendation

• Immediately upgrade to phpVMS version 7.0.6 or later to remediate CVE-2026-42569.
• If immediate upgrade is not feasible, follow the instructions provided in the release notes for version 7.0.6 to disable the vulnerable /importer routes.
• Deploy the provided Sigma rule to monitor for suspicious requests to the /importer endpoint, indicative of attempted exploitation.
• Enable web server access logging and review logs for unauthorized access attempts to the /importer endpoint.

]]>criticaladvisoryauthorization-bypassdata-lossphpvmshttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.Heimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., /user/../admin) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.

Attack Chain

1. Attacker crafts a malicious HTTP request with a path containing dot-segments (e.g., /public/../user/resource).
2. The request is sent to the Heimdall proxy.
3. Heimdall performs rule matching on the raw, non-normalized path (/public/../user/resource).
4. Heimdall incorrectly matches the request to a less restrictive rule, such as a rule for /public/**, due to the initial /public segment.
5. Heimdall authorizes the request based on the matched rule, potentially allowing anonymous access.
6. The request is forwarded to the downstream service.
7. The downstream service normalizes the request path to /user/resource.
8. The downstream service processes the request as /user/resource, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.

Impact

Successful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.

Recommendation

• Apply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.
• Implement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.
• Deploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.
• Configure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.

]]>highadvisoryauthorization-bypasspath-normalizationcloud