Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e334677d9965 · 2026-01-27T22:16:02.000Z
GHSA-8cw6-53m5-4932 GHSA-w5wv-wvrp-v5m5
diff --git a/advisories/github-reviewed/2026/01/GHSA-8cw6-53m5-4932/GHSA-8cw6-53m5-4932.json b/advisories/github-reviewed/2026/01/GHSA-8cw6-53m5-4932/GHSA-8cw6-53m5-4932.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8cw6-53m5-4932",
+  "modified": "2026-01-27T22:13:52Z",
+  "published": "2026-01-27T22:13:52Z",
+  "aliases": [
+    "CVE-2026-24134"
+  ],
+  "summary": "StudioCMS has Authorization Bypass Through User-Controlled Key",
+  "details": "### Summary\nStudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the \"Visitor\" role to access draft content created by Editor/Admin/Owner users.\n\n### Details\n**The Issue:**\nThe endpoint `/dashboard/content-management/edit?edit={UUID}` validates user authentication but does NOT validate:\n1. User role (should require Editor/Admin/Owner)\n2. Content ownership (should verify the draft belongs to the user)\n\nThis allows users with \"Visitor\" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.\n\n### PoC\n   - **User A:** Editor role (example username: `dummy04`)\n   - **User B:** Visitor role (example username: `dummy01`)\n\n**Reproduction Steps:**\n\n**Step 1 - Create draft as Editor:**\n\n1. Login as User A (Editor role)\n2. Navigate to: `http://localhost:4321/dashboard/content-management`\n3. Create new content (it will stay as draft)\n4. After saving, note the UUID in the URL:\n````\n   http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\n````\n   Copy this UUID: `bad87630-69a4-4cd6-bcb2-6965839dc148`\n\n**Step 2 - Access draft as Visitor:**\n\n1. Login as Visitor and get auth_session cookie\n```\ncurl -X POST \"http://127.0.0.1:4321/studiocms_api/auth/login\" -F 'username=dummy01' -F 'password=dummy01pass$'\n```\n<img width=\"1128\" height=\"376\" alt=\"01\" src=\"https://github.com/user-attachments/assets/86c5290e-e7a2-470e-bbf5-5f5247eddec1\" />\n\n2. Proof of Visitor permission\n<img width=\"1899\" height=\"450\" alt=\"02\" src=\"https://github.com/user-attachments/assets/aabd47d3-163f-4a56-8296-08bd40c5ccdc\" />\n\n3. Access Editor's draft using the UUID\n```\ncurl \"http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148\" -H \"Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q\" -v\n```\n\n**Result:** Returns full HTML page with draft content (200 OK)\n\n### Impact\n**Impact Scenarios:**\n\n1. **Information Disclosure:**\n   - Visitor users can read unpublished drafts containing sensitive information\n   - Drafts may contain confidential business information, unreleased announcements, or proprietary content\n   - Competitive intelligence could be gathered from draft content\n\n2. **Privacy Violation:**\n   - Personal notes, work-in-progress content, or internal communications in drafts exposed\n   - Violation of content creator privacy expectations\n\n3. **Business Impact:**\n   - Premature disclosure of marketing campaigns, product launches, or announcements\n   - Loss of competitive advantage if draft strategies are exposed\n   - Potential compliance issues if drafts contain regulated information\n\n4. **Complete RBAC Bypass:**\n   - The entire role-based access control system for draft content is bypassed\n   - \"Visitor\" role becomes equivalent to \"Editor\" for read access to drafts\n   - Undermines the trust model of multi-user content management",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "studiocms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/withstudiocms/studiocms"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639",
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-27T22:13:52Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-w5wv-wvrp-v5m5/GHSA-w5wv-wvrp-v5m5.json b/advisories/github-reviewed/2026/01/GHSA-w5wv-wvrp-v5m5/GHSA-w5wv-wvrp-v5m5.json
@@ -0,0 +1,107 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w5wv-wvrp-v5m5",
+  "modified": "2026-01-27T22:15:28Z",
+  "published": "2026-01-27T22:15:28Z",
+  "aliases": [
+    "CVE-2026-24748"
+  ],
+  "summary": "Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access",
+  "details": "### Impact\n\nA bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity.  This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks.\n\nAdditionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server.\n\nThis vulnerability was identified by security researchers, and there are no known reports of exploitation in the wild.\n\n### Patches\n\nThis problem has been patched in the previous 3 versions of Kargo. Based on our information, almost all users are on one of these versions. If for some reason you cannot upgrade from an earlier version, please reach out to us.\n\n### Workarounds\n\nThere are no workarounds for this issue, so it is highly recommended to upgrade at the earliest possible\n\n### Additional details\n\nThis issue was caused by fallback logic in token authentication. The majority of Kargo endpoints are backed by Kubernetes objects, and for these endpoints, unrecognized token types are passed to the Kubernetes API for validation. However, the affected endpoints do not use Kubernetes or used an internal client not subject to authentication, so unrecognized tokens had no validation fallback. As a result, any request with a non-empty `Bearer` token in the `Authorization` header was incorrectly treated as authorized.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/akuity/kargo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.6.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/akuity/kargo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.7.0-rc.1"
+            },
+            {
+              "fixed": "1.7.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/akuity/kargo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.8.0-rc.1"
+            },
+            {
+              "fixed": "1.8.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/akuity/kargo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-27T22:15:28Z",
+    "nvd_published_at": null
+  }
+}
