Submit #803751: OWASP DefectDojo < 2.56.0 Authorization Bypassinfo

TitleOWASP DefectDojo < 2.56.0 Authorization Bypass
DescriptionDefectDojo does not properly validate that the supplied risk_acceptance ID (raid) belongs to the supplied engagement ID (eid). Authorization decorator checks only the engagement (@user_is_authorized on eid), while functions view_edit_risk_acceptance, edit_risk_acceptance, expire_risk_acceptance, reinstate_risk_acceptance and delete_risk_acceptance simply do get_object_or_404(Risk_Acceptance, pk=raid) without any affiliation check. Only the download_risk_acceptance endpoint contains the correct check: if not Engagement.objects.filter(risk_acceptance=risk_acceptance, id=eid).exists(): raise PermissionDenied As a result, any authenticated user who has access to at least one engagement can read, edit, expire, reinstate or delete Risk Acceptance objects (and all accepted findings inside them) that belong to any other product/engagement.
Source⚠️ https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md
User
 noname1337 (UID 97313)
Submission04/13/2026 20:19 (3 months ago)
Moderation04/30/2026 17:17 (17 days later)
StatusAccepted
VulDB entry360317 [OWAP DefectDojo up to 2.55.4 Benchmark/Engagement/Product/Survey authorization]
Points20

Want to know what is going to be exploited?

We predict KEV entries!