| Title | coco-annotator v0.11.1 Broken Function Level Authorization |
|---|
| Description | An attacker can delete categories created by other users via a DELETE request to the /api/undo/ endpoint without any ownership or permission checks. This constitutes a Broken Function Level Authorization (BFLA) vulnerability, allowing unauthorized manipulation of protected resources.
Vulnerable Endpoint
DELETE /api/undo/?id=198&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<valid session cookie of low-privilege user>
• id: The category ID created by another user (e.g., “natan”)
• instance: The type of object to delete (e.g., “category”)
Impact
• Any authenticated user can delete categories created by other users.
• No verification is done to ensure that the requester is the original creator or has elevated permissions (e.g., admin).
• Leads to data integrity issues, potential denial of service, or abuse in multi-tenant environments.
Steps to Reproduce
1. Log in as User A and create a category.
2. Log in as User B (a separate, normal user).
3. Send the following request as User B:
DELETE /api/undo/?id=<category_id_from_UserA>&instance=category HTTP/1.1
Host: localhost:5001
Cookie: session=<UserB's valid session>
4. ✅ The category created by User A is deleted by User B. |
|---|
| Source | ⚠️ https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
|---|
| User | nmmorette (UID 87361) |
|---|
| Submission | 01/23/2026 15:53 (4 months ago) |
|---|
| Moderation | 02/06/2026 15:23 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344685 [jsbroks COCO Annotator up to 0.11.1 Delete Category /api/undo/ ID improper authorization] |
|---|
| Points | 20 |
|---|