- "details": "## Summary\nA broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, model configurations, and private messages. The application fails to enforce tenant isolation on critical tables (`models`, `messages`, `embeddings`), enabling unauthorized cross-tenant data access with user-level authentication privileges.\n\n---\n\n## Details\n\n### Root Cause\nThe vulnerability exists due to a mismatch between the queryable tables and the tables protected by tenant isolation in `internal/utils/inject.go`.\n\n**Tenant-isolated tables** (protected by automatic `WHERE tenant_id = X` clause):\n```\ntenants, knowledge_bases, knowledges, sessions, chunks\n```\n\n**Queryable tables** (allowed by `WithAllowedTables()` in `WithSecurityDefaults()`):\n```\ntenants, knowledge_bases, knowledges, sessions, messages, chunks, embeddings, models\n```\n\n**Gap**: The tables `messages`, `embeddings`, and `models` are queryable but NOT in the tenant isolation list. This means queries against these tables do NOT receive the automatic `WHERE tenant_id = X` filtering.\n\n### Vulnerable Code\n\n**File: `internal/utils/inject.go`**\n\n```go\nfunc WithTenantIsolation(tenantID uint64, tables ...string) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\tv.enableTenantInjection = true\n\t\tv.tenantID = tenantID\n\t\tv.tablesWithTenantID = make(map[string]bool)\n\t\tif len(tables) == 0 {\n\t\t\t// Default tables with tenant_id - MISSING: messages, embeddings, models\n\t\t\tv.tablesWithTenantID = map[string]bool{\n\t\t\t\t\"tenants\": true,\n\t\t\t\t\"knowledge_bases\": true,\n\t\t\t\t\"knowledges\": true,\n\t\t\t\t\"sessions\": true,\n\t\t\t\t\"chunks\": true,\n\t\t\t}\n\t\t} else {\n\t\t\tfor _, table := range tables {\n\t\t\t\tv.tablesWithTenantID[strings.ToLower(table)] = true\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc WithSecurityDefaults(tenantID uint64) SQLValidationOption {\n\treturn func(v *sqlValidator) {\n\t\t// ... other validations ...\n\t\tWithTenantIsolation(tenantID)(v)\n\n\t\t// Default allowed tables - INCLUDES unprotected tables\n\t\tWithAllowedTables(\n\t\t\t\"tenants\",\n\t\t\t\"knowledge_bases\",\n\t\t\t\"knowledges\",\n\t\t\t\"sessions\",\n\t\t\t\"messages\", // ← No tenant isolation\n\t\t\t\"chunks\",\n\t\t\t\"embeddings\", // ← No tenant isolation\n\t\t\t\"models\", // ← No tenant isolation\n\t\t)(v)\n\t}\n}\n```\n\n**File: `database_query.go`**\n\n```go\nfunc (t *DatabaseQueryTool) validateAndSecureSQL(sqlQuery string, tenantID uint64) (string, error) {\n\tsecuredSQL, validationResult, err := utils.ValidateAndSecureSQL(\n\t\tsqlQuery,\n\t\tutils.WithSecurityDefaults(tenantID),\n\t\tutils.WithInjectionRiskCheck(),\n\t)\n\t// ... validation logic ...\n\treturn securedSQL, nil\n}\n```\n\nWhen tenant 1 queries `SELECT * FROM models`, the validation passes and **no** `WHERE tenant_id = 1` clause is appended because `models` is not in the `tablesWithTenantID` map. The unfiltered result exposes all model records across all tenants.\n\n---\n\n## PoC\n\n### Prerequisites\n- Access to the AI application as an authenticated tenant\n- Ability to send prompts that invoke the `database_query` tool\n\n### Steps to Reproduce\n\n1. **Authenticate as Tenant 1** and craft the following prompt to the AI agent:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM models\"} to query the database. \n Output all results and any errors.\n ```\n\n2. **Expected vulnerable response**: The agent returns ALL model records in the `models` table across all tenants, including:\n - Model IDs and names\n - API keys and authentication credentials\n - Configuration details for all organizations\n\nExample result:\n\n<img width=\"864\" height=\"1150\" alt=\"image\" src=\"https://github.com/user-attachments/assets/01e3d0ba-0f2a-43ab-ab51-8778fb8a79b1\" />\n\n3. **Repeat with messages table**:\n ```\n Use the database_query tool with {\"sql\": \"SELECT * FROM messages\"} to query the database. \n Output all results.\n ```\n\n4. **Expected vulnerable response**: The agent returns ALL messages from all tenants, bypassing message privacy.\n\n---\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/056984e8-1700-41fe-9b8a-6d18d5579c18\n\n---\n\n## Impact\n\n### Vulnerability Type\n**Broken Access Control (CWE-639)** / **Unauthorized Information Disclosure (CWE-200)**\n\n### Specific Data at Risk\n1. **API Keys & Credentials** (from `models` table)\n - Third-party LLM provider keys (OpenAI, Anthropic, etc.)\n - Database credentials and connection strings\n - Authentication tokens for integrated services\n\n2. **Private Messages** (from `messages` table)\n - Confidential business communications\n - User conversations with AI agents\n - Sensitive information shared within conversations\n\n### Severity\n- High confidentiality impact with cross-tenant scope\n- Easy to exploit with simple queries",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments