GHSA-QPM9-H556-MWXM
Vulnerability from github – Published: 2026-07-08 21:11 – Updated: 2026-07-08 21:11Impact
In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:
- Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) — so every version of
nl.nl-portal:documenten-apiever published is affected (the earliest one on Maven Central is0.2.2.RELEASE, published 2023-08-31). - Decisions (
besluiten). A logged-in user could list, search, and read decision records — including their audit trails and the documents attached to them — for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. Thebesluitenmodule was introduced in the1.5.xrelease line (commit9229460b, 2024-08-19), so versions ofnl.nl-portal:besluitenfrom1.5.0through3.0.0are affected.
Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint.
Why these two findings are reported together
They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same — bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.
Patches
Upgrade to 3.0.1 or later.
nl.nl-portal:documenten-api— the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit:32e0ebdf— "Add auth on DocumentContentQuery.kt".nl.nl-portal:besluiten— the entirebesluitenmodule is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit:f592af1b— "Removal of Besluiten API".
Workarounds
For deployments that cannot upgrade immediately:
- Block the following GraphQL operations at the API gateway:
getDocumentContent,getBesluiten,getBesluit,getBesluitAuditTrails,getBesluitAuditTrail,getBesluitDocumenten,getBesluitDocument. - If per-operation blocking is not possible, block the
besluitenmodule's GraphQL types entirely and block the document-content query.
Technical details
nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id)did not declare aCommonGroundAuthenticationparameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by addingauthentication: CommonGroundAuthenticationto the resolver signature, so Spring's argument resolution rejects unauthenticated invocations of the query.nl.nlportal.besluiten.graphql.BesluitenQueryexposed six GraphQL operations —getBesluiten,getBesluit,getBesluitAuditTrails,getBesluitAuditTrail,getBesluitDocumenten,getBesluitDocument— none of which declared aCommonGroundAuthenticationparameter. In particular,getBesluitenaccepted filter arguments (besluitType,identificatie,verantwoordelijkeOrganisatie,zaak,pageNumber) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (getBesluit,getBesluitAuditTrail,getBesluitDocument) returned data for any UUID without ownership checks. The fix is the removal ofBesluitenQuery,BesluitenAutoConfiguration, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.
Credits
Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "nl.nl-portal:documenten-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "nl.nl-portal:besluiten"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49463"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-08T21:11:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\nIn versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:\n\n- **Document content.** A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) \u2014 so every version of `nl.nl-portal:documenten-api` ever published is affected (the earliest one on Maven Central is `0.2.2.RELEASE`, published 2023-08-31).\n- **Decisions (`besluiten`).** A logged-in user could list, search, and read decision records \u2014 including their audit trails and the documents attached to them \u2014 for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The `besluiten` module was introduced in the `1.5.x` release line (commit `9229460b`, 2024-08-19), so versions of `nl.nl-portal:besluiten` from `1.5.0` through `3.0.0` are affected.\n\nDecisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user\u0027s document IDs by enumerating decisions, they can pull those documents\u0027 contents through the document endpoint.\n\n### Why these two findings are reported together\n\nThey share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same \u2014 bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.\n\n## Patches\n\nUpgrade to **3.0.1** or later.\n\n- **`nl.nl-portal:documenten-api`** \u2014 the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit: `32e0ebdf` \u2014 \"Add auth on DocumentContentQuery.kt\".\n- **`nl.nl-portal:besluiten`** \u2014 the entire `besluiten` module is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit: `f592af1b` \u2014 \"Removal of Besluiten API\".\n\n## Workarounds\n\nFor deployments that cannot upgrade immediately:\n\n- Block the following GraphQL operations at the API gateway: `getDocumentContent`, `getBesluiten`, `getBesluit`, `getBesluitAuditTrails`, `getBesluitAuditTrail`, `getBesluitDocumenten`, `getBesluitDocument`.\n- If per-operation blocking is not possible, block the `besluiten` module\u0027s GraphQL types entirely and block the document-content query.\n\n## Technical details\n\n- `nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id)` did not declare a `CommonGroundAuthentication` parameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by adding `authentication: CommonGroundAuthentication` to the resolver signature, so Spring\u0027s argument resolution rejects unauthenticated invocations of the query.\n- `nl.nlportal.besluiten.graphql.BesluitenQuery` exposed six GraphQL operations \u2014 `getBesluiten`, `getBesluit`, `getBesluitAuditTrails`, `getBesluitAuditTrail`, `getBesluitDocumenten`, `getBesluitDocument` \u2014 none of which declared a `CommonGroundAuthentication` parameter. In particular, `getBesluiten` accepted filter arguments (`besluitType`, `identificatie`, `verantwoordelijkeOrganisatie`, `zaak`, `pageNumber`) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (`getBesluit`, `getBesluitAuditTrail`, `getBesluitDocument`) returned data for any UUID without ownership checks. The fix is the removal of `BesluitenQuery`, `BesluitenAutoConfiguration`, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.\n\n## Credits\n\nDiscovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.",
"id": "GHSA-qpm9-h556-mwxm",
"modified": "2026-07-08T21:11:54Z",
"published": "2026-07-08T21:11:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nl-portal/nl-portal-backend-libraries/security/advisories/GHSA-qpm9-h556-mwxm"
},
{
"type": "PACKAGE",
"url": "https://github.com/nl-portal/nl-portal-backend-libraries"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.