Skip to content

Commit 87ee3cd

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3jpj-v3xr-5h6g GHSA-4fxq-2x3x-6xqx GHSA-95mq-xwj4-r47p GHSA-9mrh-v2v3-xpfm GHSA-cpf9-ph2j-ccr9 GHSA-ffgh-3jrf-8wvh GHSA-qr3m-xw4c-jqw3
1 parent cd8085d commit 87ee3cd

File tree

7 files changed

+587
-0
lines changed

7 files changed

+587
-0
lines changed

advisories/github-reviewed/2026/04/GHSA-3jpj-v3xr-5h6g/GHSA-3jpj-v3xr-5h6g.json

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3jpj-v3xr-5h6g",
4+
"modified": "2026-04-16T21:09:23Z",
5+
"published": "2026-04-16T21:09:23Z",
6+
"aliases": [
7+
"CVE-2026-40304"
8+
],
9+
"summary": "zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records",
10+
"details": "Summary\nThe unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it.\n\nAttack Vector: Network — the endpoint is a standard HTTP API call.\n\nAttack Complexity: High — successful exploitation requires prior knowledge of a global frontend token. These tokens are not returned to non-admin users by any standard API endpoint; obtaining one requires an out-of-band step (e.g., leaked server logs, admin documentation for a self-hosted instance, or social engineering).\n\nPrivileges Required: Low — a valid user account with at least one registered environment is required; no admin privileges needed.\n\nUser Interaction: None.\n\nScope: Unchanged — the impact stays within the same server instance.\n\nConfidentiality Impact: None — no data is disclosed.\n\nIntegrity Impact: None — no data is improperly modified; the record is deleted (not corrupted).\n\nAvailability Impact: High — deleting a global frontend disrupts every public share routed through it on the instance, constituting a platform-wide availability impact.\n\nAffected Component\ncontroller/unaccess.go — unaccessHandler.Handle (line 56)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/openziti/zrok"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.1.11"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/openziti/zrok/v2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "2.0.1"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/openziti/zrok"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-284",
70+
"CWE-863"
71+
],
72+
"severity": "MODERATE",
73+
"github_reviewed": true,
74+
"github_reviewed_at": "2026-04-16T21:09:23Z",
75+
"nvd_published_at": null
76+
}
77+
}

advisories/github-reviewed/2026/04/GHSA-4fxq-2x3x-6xqx/GHSA-4fxq-2x3x-6xqx.json

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4fxq-2x3x-6xqx",
4+
"modified": "2026-04-16T21:08:55Z",
5+
"published": "2026-04-16T21:08:55Z",
6+
"aliases": [
7+
"CVE-2026-40302"
8+
],
9+
"summary": "zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering",
10+
"details": "**Summary**\nThe proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin.\n\n- Attack Vector: Network — the attack is delivered as a crafted URL over the internet.\n- Attack Complexity: Low — no race conditions or special environment prerequisites.\n- Privileges Required: None — the attacker needs no account on the zrok instance.\n- User Interaction: Required — the victim must click the crafted link and complete the GitHub OAuth flow.\n- Scope: Changed — the injected script executes in the OAuth server's origin, not the victim's share origin.\n- Confidentiality Impact: Low — the script runs in the OAuth server origin after a failed flow; no session cookie is set at this point, limiting what can be exfiltrated to what is visible in the DOM and what can be requested from the OAuth server.\n- Integrity Impact: Low — the script can initiate new OAuth flows or submit forms on behalf of the victim in the OAuth server origin.\n- Availability Impact: None.\n\n**Affected Components**\n\n- endpoints/proxyUi/template.go — init() / WriteTemplate (lines 8, 18, 99) — text/template used for HTML rendering\n- endpoints/proxyUi/template.html — line 119 — {{ .Error }} in HTML without escaping\n- endpoints/publicProxy/providerGithub.go — login callback closure (lines 93, 128, 130)\n- endpoints/dynamicProxy/providerGithub.go — loginHandler() (lines 110, 146, 148)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/openziti/zrok"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "1.1.11"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/openziti/zrok/v2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "2.0.1"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/openziti/zrok"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-116",
70+
"CWE-79"
71+
],
72+
"severity": "MODERATE",
73+
"github_reviewed": true,
74+
"github_reviewed_at": "2026-04-16T21:08:55Z",
75+
"nvd_published_at": null
76+
}
77+
}

advisories/github-reviewed/2026/04/GHSA-95mq-xwj4-r47p/GHSA-95mq-xwj4-r47p.json

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-95mq-xwj4-r47p",
4+
"modified": "2026-04-16T21:08:07Z",
5+
"published": "2026-04-16T21:08:07Z",
6+
"aliases": [
7+
"CVE-2026-40173"
8+
],
9+
"summary": "Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints",
10+
"details": "### Summary\nAn unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from `--security \"token=...\"`.\n\nThis does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level access by reusing the leaked token in `X-Dgraph-AuthToken`.\n\n### Details\nThe behavior occurs entirely within core Alpha HTTP routing and does not require any external proxy, plugin, or non-core integration.\n\nThe core issue is not that admin token protection is absent, but that the protected secret is exposed in cleartext through an unauthenticated core debug endpoint.\n\nRelevant code paths:\n- `dgraph/cmd/alpha/run.go:17` imports `net/http/pprof`, which registers `/debug/pprof/*` handlers on the default mux.\n- `dgraph/cmd/alpha/run.go:533` uses `http.Handle(\"/\", audit.AuditRequestHttp(baseMux))`, so default-mux handlers remain reachable.\n- `dgraph/cmd/alpha/admin.go:52` enforces admin token checks in `adminAuthHandler` for admin endpoints.\n- `dgraph/cmd/alpha/admin.go:74` shows `/admin/config/cache_mb` behind `adminAuthHandler`.\n\nCredential-exposure chain:\n1. `/debug/pprof/cmdline` is reachable without authentication.\n2. Its output includes the configured admin token from process arguments.\n3. The disclosed token is accepted by `adminAuthHandler` when sent as `X-Dgraph-AuthToken`.\n4. An attacker gains unauthorized access to admin-only functionality.\n\nObserved local evidence (safe validation):\n- Request: `GET /admin/config/cache_mb` without token\n - Status: 200 (request rejected at application layer)\n - Body contains error: `Invalid X-Dgraph-AuthToken`\n - The endpoint returns HTTP 200 but indicates authentication failure in the response body.\n- Request: `GET /debug/pprof/cmdline` without token\n - Status: 200\n - Body excerpt includes: `--security=token=TopSecretToken123;`\n- Request: `GET /admin/config/cache_mb` with `X-Dgraph-AuthToken: TopSecretToken123`\n - Status: 200\n - Body: `4096`\n\nImportant policy/triage clarification:\n- This issue persists even when the admin-token security feature is enabled: the token itself is exposed via an unauthenticated core debug endpoint, making this more than a misconfiguration-only concern.\n- Network restrictions (bind/whitelist/firewall) may reduce exposure, but they do not remediate the underlying credential disclosure behavior.\n\n### PoC\n\n- Branch: `main`\n- Commit: `b15c87e93`\n- Describe: `v25.3.1`\n\nPreconditions:\n- Alpha HTTP port is reachable by attacker traffic.\n- Admin token is configured via supported startup flag: `--security \"token=...\"`.\n- `/debug/pprof/*` is exposed on the same Alpha HTTP listener.\n- This behavior occurs with documented startup flags and without any non-default or unsupported configuration.\n\nReproduction steps:\n1. Start Zero and Alpha (example local setup):\n - `dgraph zero --my=127.0.0.1:5280 --port_offset=200 --bindall=false --wal=./zw`\n - `dgraph alpha --my=127.0.0.1:7280 --zero=127.0.0.1:5280 --port_offset=200 --bindall=false --security \"token=TopSecretToken123;\" --postings=./p --wal=./w --tmp=./t`\n\n2. Verify admin endpoint rejects unauthenticated request:\n - `curl -i http://127.0.0.1:8280/admin/config/cache_mb`\n - Expected body includes `Invalid X-Dgraph-AuthToken`.\n\n3. Read token from unauthenticated debug endpoint:\n - `curl -s http://127.0.0.1:8280/debug/pprof/cmdline`\n - Expected output includes `--security=token=TopSecretToken123;`.\n\n4. Reuse leaked token against admin endpoint:\n - `curl -i -H \"X-Dgraph-AuthToken: TopSecretToken123\" http://127.0.0.1:8280/admin/config/cache_mb`\n - Expected: successful response (example observed: `4096`).\n\nNote: The PoC uses `127.0.0.1` only for safe local validation. The vulnerable condition is unauthenticated reachability of `/debug/pprof/cmdline`; in any deployment where Alpha HTTP is reachable by untrusted parties, the same token disclosure and subsequent unauthorized admin access apply.\n\n### Impact\n\n- Unauthenticated disclosure of a sensitive admin credential via debug endpoint, enabling unauthorized privileged administrative access through token reuse\n- Operators running Dgraph Alpha with admin token configured, where Alpha HTTP/debug routes are reachable by untrusted users or networks.\n\nThe attack requires network reachability to the Alpha HTTP port. In deployments where this interface is exposed beyond trusted boundaries, the issue is remotely exploitable without authentication.\n\nDepending on exposed admin functionality in deployment policy, this may allow configuration changes, operational control actions, and other privileged administrative operations exposed through `/admin/*`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/dgraph-io/dgraph/v25"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "25.3.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/dgraph-io/dgraph/v24"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"last_affected": "24.1.7"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/dgraph-io/dgraph"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "0"
67+
},
68+
{
69+
"last_affected": "1.2.8"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/dgraph-io/dgraph/security/advisories/GHSA-95mq-xwj4-r47p"
80+
},
81+
{
82+
"type": "ADVISORY",
83+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40173"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/dgraph-io/dgraph"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/dgraph-io/dgraph/releases/tag/v25.3.2"
92+
}
93+
],
94+
"database_specific": {
95+
"cwe_ids": [
96+
"CWE-200",
97+
"CWE-215"
98+
],
99+
"severity": "CRITICAL",
100+
"github_reviewed": true,
101+
"github_reviewed_at": "2026-04-16T21:08:07Z",
102+
"nvd_published_at": "2026-04-15T21:17:27Z"
103+
}
104+
}

0 commit comments

Comments
 (0)