+ "details": "## Summary\n\nA Manager account (`access_all=false`) was able to escalate privileges by directly invoking the **bulk-access API** against collections that were not originally assigned to them.\nThe API allowed changing `assigned=false` to `assigned=true`, resulting in unauthorized access.\n\nAdditionally, prior to the bulk-access call, the regular single-update API correctly returned **401 Unauthorized** for the same collection. After executing the bulk-access API, the same update API returned **200 OK**, confirming an authorization gap at the HTTP level.\n\n---\n\n## Description\n\n* The endpoint accepts `ManagerHeadersLoose` and does not validate access rights for the specified `collectionIds`.\n src/api/core/organizations.rs:551\n\n ```rust\n headers: ManagerHeadersLoose,\n ```\n\n* The received `collection_ids` are processed directly without per-collection authorization checks.\n src/api/core/organizations.rs:564\n\n ```rust\n for col_id in data.collection_ids {\n ```\n\n* Existing group assignments for the collection are deleted.\n src/api/core/organizations.rs:583\n\n ```rust\n CollectionGroup::delete_all_by_collection(&col_id, &conn).await?;\n ```\n\n* Existing user assignments for the collection are deleted.\n src/api/core/organizations.rs:590\n\n ```rust\n CollectionUser::delete_all_by_collection(&col_id, &conn).await?;\n ```\n\n* By comparison, another bulk-processing endpoint performs per-collection validation using `from_loose`.\n src/api/core/organizations.rs:787\n\n ```rust\n let headers = ManagerHeaders::from_loose(headers, &collections, &conn).await?;\n ```\n\n* The actual access control logic is implemented in `can_access_collection`, which is not invoked in the bulk-access endpoint.\n src/auth.rs:911\n\n ```rust\n if !Collection::can_access_collection(&h.membership, col_id, conn).await {\n ```\n\n---\n\n## Preconditions\n\n* The attacker possesses a valid **Manager account** within the target organization.\n* The organization contains collections that are **not assigned** to the attacker.\n* The attacker can authenticate through the standard API login process (Owner/Admin privileges are not required).\n\n---\n\n## Steps to Reproduce\n\n1. Log in as a Manager and obtain a Bearer token.\n<img width=\"4016\" height=\"1690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218f05e2-6a2e-4066-8f8d-6bbef1cc5858\" />\n\n2. Confirm the current values of `assigned`, `manage`, `readOnly`, and `hidePasswords` for the target collection.\n<img width=\"4026\" height=\"1694\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a6d2fc70-5370-4984-85bd-a6f74febdfa3\" />\n\n3. Verify that the standard update API returns **401 Unauthorized** when attempting to modify the unassigned collection.\n<img width=\"4030\" height=\"1708\" alt=\"image\" src=\"https://github.com/user-attachments/assets/802f0d2b-d474-44d2-beef-b4f7f3335225\" />\n\n4. Invoke the bulk-access API, including:\n<img width=\"4036\" height=\"1120\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1d3caa01-3ac2-4636-9ed0-189e5923c986\" />\n\n * `collectionIds` containing the target collection\n * `users` containing the attacker’s own `membership_id`\n Confirm that the API returns **200 OK**.\n\n5. Re-run the standard update API.\n Confirm that it now succeeds and that the previously unauthorized modification is applied.\n<img width=\"4040\" height=\"1440\" alt=\"image\" src=\"https://github.com/user-attachments/assets/340e9676-d802-404c-b894-9986a176360a\" />\n\n---\n\n## Required Minimum Privileges\n\n* Manager role within the target organization\n (the issue occurs even when `access_all=false`)\n\n---\n\n## Attack Scenario\n\nA delegated administrator or department-level Manager within an organization directly calls the API to add themselves to unauthorized collections and gain access to confidential information.\n\nBecause the bulk update process deletes and reassigns existing permissions, the attacker can also remove other users’ access, enabling denial-of-service or sabotage within the organization.\n\n---\n\n## Potential Impact\n\n* **Confidentiality:** Unauthorized access to sensitive information within restricted collections.\n* **Integrity:** Unauthorized modification of collection permission settings and arbitrary changes to access controls.\n* **Availability:** Deletion of existing assignments may cause legitimate users to lose access.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments