提出 #777657: FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)情報

タイトル	FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639)
説明	# Technical Details A Missing Authorization (IDOR) vulnerability exists in the `read()` methods of `user.controller.ts`, `organization-user.controller.ts`, and `workspace-user.controller.ts` in FlowiseAI Flowise. The application implements role-based access control for mutating operations (POST, PUT, DELETE) using `checkPermission()` middleware, but the corresponding GET (read) routes for user management are registered without any permission middleware. The controllers accept arbitrary user-controlled query parameters (userId, organizationId, workspaceId, email) and pass them directly to database queries without ownership verification. # Vulnerable Code File: packages/server/src/routes/user.route.ts (line 7), organization-user.route.ts (line 9), workspace-user.route.ts (line 10) Method: read() in user.controller.ts, organization-user.controller.ts, workspace-user.controller.ts Why: GET routes are registered without checkPermission() middleware. The read() controllers accept arbitrary query parameters and return results without verifying the requester's relationship to the queried entities. Fix commit 83036b1a1 for PR #5652 initially added checks but then removed them before merging. # Reproduction 1. Deploy Flowise: docker run -d --name flowise-idor -p 3000:3000 flowiseai/flowise:latest 2. Register and authenticate to get JWT cookie. 3. IDOR: GET /api/v1/user?email=<any_email> returns any user's full profile. 4. IDOR: GET /api/v1/organizationuser?userId=<leaked_id> returns organization membership. 5. IDOR: GET /api/v1/workspaceuser?userId=<leaked_id> returns workspace membership. # Impact - Cross-tenant data access: User from Organization A can read profiles/membership of Organization B. - Full organizational reconnaissance from a single low-privilege account. - Leaked IDs enable targeted privilege escalation attacks.
ソース	⚠️ https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b
ユーザー	Eric-a (UID 96353)
送信	2026年03月11日 14:57 (3 月 ago)
モデレーション	2026年05月06日 09:40 (2 months later)
ステータス	承諾済み
VulDBエントリ	361274 [FlowiseAI Flowise 迄 3.0.12 User Controller userId/organizationId/workspaceId/email 特権昇格]
ポイント	20

◂ 前概要次 ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!