| 제목 | zhinianboke xianyu-auto-reply main branch at or before commit 04580d6490b4731d0055f29736930d8cc59b60d6 CWE-862 Missing Authorization |
|---|
| 설명 | An unauthenticated authorization bypass exists in zhinianboke/xianyu-auto-reply at commit 04580d6490b4731d0055f29736930d8cc59b60d6.
The backend-web user update endpoint PATCH /api/v1/users/{user_id} is exposed without an authentication dependency such as Depends(deps.get_current_active_user) and without an administrator authorization check. The route accepts a UserUpdate payload and directly passes it to the user update service.
The UserUpdate schema includes sensitive fields including email, phone, status, and role. The UserService.update method then applies all supplied fields to the target user object using setattr with no field allowlist. As a result, any unauthenticated remote attacker who knows or can guess a user_id can modify that user. If the attacker supplies {"role":"ADMIN","status":"ACTIVE"}, the target account can be promoted to administrator or reactivated.
Affected endpoint: PATCH /api/v1/users/{user_id}
Affected code: backend-web/app/api/routes/users.py exposes PATCH /{user_id} without authentication. common/schemas/user.py allows role and status in UserUpdate. backend-web/app/services/user_service.py applies update fields directly with setattr.
Proof of concept against a local test instance: curl -i -X PATCH "http://127.0.0.1:8089/api/v1/users/1" -H "Content-Type: application/json" -d '{"email":"[email protected]","role":"ADMIN","status":"ACTIVE"}'
Expected behavior: The endpoint should require authentication and should allow only authorized administrators to update another user's role or status.
Vulnerable behavior: The target user is updated without any access token.
Impact: A remote unauthenticated attacker can modify arbitrary users and escalate privileges to administrator by setting the role field to ADMIN. This may lead to full compromise of application administration features and user data.
Recommended remediation: Require authentication and administrator authorization on PATCH /api/v1/users/{user_id}. Split self-service user update and administrator user update schemas. Remove role and status from public user update paths. Enforce service-layer field allowlists so sensitive fields cannot be mass-assigned through non-admin endpoints. |
|---|
| 원천 | ⚠️ https://github.com/zhinianboke/xianyu-auto-reply/issues/192 |
|---|
| 사용자 | Galaxyn (UID 98388) |
|---|
| 제출 | 2026. 06. 12. AM 05:54 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 14. PM 05:51 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 378334 [zhinianboke xianyu-auto-reply 까지 dcb445ad97816ad65299a7580ee0c8c8f929da84 Backend User Endpoint /api/v1/users/ 권한 상승] |
|---|
| 포인트들 | 20 |
|---|