| Title | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls |
|---|
| Description | A security flaw existed in the workspace auto-join feature of DecoCMS Mesh that allowed unauthenticated or unauthorized users to join any workspace simply by supplying a valid workspace domain.
PoC:
https://github.com/decocms/mesh/pull/1967
This vulnerability has been fixed in runtime v1.0.0-alpha.32
Root Cause
The server did not check if the user email was the same from the workspace domain.
Impact:
Access other workspaces, just by knowing their organization domain. |
|---|
| Source | ⚠️ https://github.com/decocms/mesh/pull/1967 |
|---|
| User | Anonymous User |
|---|
| Submission | 12/12/2025 04:59 (4 months ago) |
|---|
| Moderation | 12/13/2025 14:25 (1 day later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 336392 [DecoCMS Mesh up to 1.0.0-alpha.31 Workspace Domain api.ts createTool domain access control] |
|---|
| Points | 20 |
|---|