Submit #801781: mettle sendportal v3.0.1 Insecure direct object referenceinfo

Titlemettle sendportal v3.0.1 Insecure direct object reference
DescriptionSummary The destroy() method in WorkspaceInvitationsController allows any workspace owner to delete invitations belonging to any other workspace (IDOR - CWE-639). Vulnerability Details File: app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php, lines 42-47 public function destroy(Invitation $invitation): RedirectResponse { $invitation->delete(); // No workspace ownership check return redirect()->route('users.index'); } The route group at routes/web.php line 59 applies OwnsCurrentWorkspace::class middleware, which verifies the user owns their current workspace — but does NOT verify the {invitation} parameter belongs to that workspace. Laravel route model binding resolves ANY invitation by ID. Secure pattern comparison: The store() method in the same controller correctly scopes to the current workspace via $request->user()->currentWorkspace(). The invitations table has a workspace_id foreign key but it is never validated in destroy(). Recommended Fix public function destroy(Invitation $invitation): RedirectResponse { abort_unless( $invitation->workspace_id === auth()->user()->currentWorkspace()->id, 404 ); $invitation->delete(); return redirect()->route('users.index'); } Disclosure Found during security research. Happy to provide additional details.
Source⚠️ https://github.com/mettle/sendportal/issues/337
User
 B1scuit (UID 97177)
Submission04/10/2026 06:51 (3 months ago)
Moderation04/26/2026 21:53 (17 days later)
StatusAccepted
VulDB entry359744 [mettle sendportal up to 3.0.1 Invitation WorkspaceInvitationsController.php destroy invitation authorization]
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!