| Título | waooAI waoowaoo 0.4.1 Improper Access Control |
|---|
| Descrição | A vulnerability was found in waooAI waoowaoo 0.4.1 and classified as medium severity.
The affected version was verified from package.json version 0.4.1 at commit
30bf17e6293503895af66cc4a59548bdf478633d.
Affected is the media object routing and storage signing functionality. The application
derives a stable public media identifier from only the storage object key:
publicId = "m_" + sha256(storageKey).slice(0, 40)
The MediaObject database model stores globally unique publicId and storageKey values, but
does not store a user, tenant, project, or asset owner security scope. The /m/[publicId]
route resolves a global MediaObject by publicId, creates a signed URL for media.storageKey,
and streams the object without requiring authentication or checking whether the caller owns
the project or asset that references the media. A related endpoint, /api/storage/sign?key=...,
also returns a signed object URL for any supplied key without authentication.
The manipulation of the publicId route parameter, or the key query parameter on the storage
signing endpoint, leads to unauthorized access to private user media. It is possible to
launch the attack remotely against network-reachable deployments. Authentication required:
no. User interaction required: no.
Technical Details
- Affected file/function: src/lib/media/hash.ts / stablePublicIdFromStorageKey()
- Affected file/function: src/lib/media/service.ts / ensureMediaObjectFromStorageKey(), getMediaObjectByPublicId()
- Affected file/function: src/app/m/[publicId]/route.ts / GET(), HEAD()
- Related file/function: src/app/api/storage/sign/route.ts / GET()
- Vulnerable parameter: publicId route parameter
- Related parameter: key query parameter
- Attack vector: Network
- Privileges required: None
- Trigger condition: a victim media object exists and the attacker knows, obtains, or can infer a valid storageKey or /m/<publicId> URL
Minimal Proof of Concept
Given a victim media object with storageKey "uploads/cat.png", the stable media publicId is:
m_61528aebee09284f2c313f9751fcfba79511c259
An unauthenticated request to:
GET /m/m_61528aebee09284f2c313f9751fcfba79511c259
causes the route to resolve the global MediaObject, sign the stored storageKey, and stream
the underlying object without user or project authorization. If the storage key itself is
known, an unauthenticated request to:
GET /api/storage/sign?key=uploads%2Fcat.png
also redirects to a signed object URL.
Impact
- Confidentiality: High
- Integrity: None
- Availability: None
The exposed data may include user-uploaded or AI-generated images, videos, audio files,
voice samples, character assets, scene assets, and other project media. Direct remote code
execution was not observed. Data modification was not observed through this route.
CVSS v3.1
Score: 5.9 (Medium)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The attack is assessed with high attack complexity because exploitation generally requires
the attacker to know, obtain, or infer a valid storage key or stable media URL. Once such an
identifier is known, retrieval is reliable and does not require authentication.
Timeline
- Discovered: 2026-06-10
- Vendor notified: 2026-06-10
- Patch released: [unknown]
- Public disclosure: 2026-06-10
Countermeasure
Bind MediaObject records and media retrieval to a security scope such as user, tenant,
project, or asset ownership, and enforce that scope in /m/[publicId] before signing or
streaming the object. Alternatively, make media public IDs unguessable bearer tokens scoped
to the intended access policy. The /api/storage/sign endpoint should require authorization
or verify that the caller is allowed to access the requested storage key before returning a
signed object URL. Existing media rows may require a migration/backfill strategy. |
|---|
| Fonte | ⚠️ https://github.com/waooAI/waoowaoo/issues/201 |
|---|
| Utilizador | Dem0000000 (UID 98743) |
|---|
| Submissão | 10/06/2026 18h08 (há 1 mês) |
|---|
| Moderação | 13/07/2026 16h01 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 378109 [waooAI waoowaoo até 0.4.1 Media src/lib/media/hash.ts stablePublicIdFromStorageKey storageKey Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|