GHSA-QPM9-H556-MWXM

Vulnerability from github – Published: 2026-07-08 21:11 – Updated: 2026-07-08 21:11
VLAI
Summary
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Details

Impact

In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:

  • Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) — so every version of nl.nl-portal:documenten-api ever published is affected (the earliest one on Maven Central is 0.2.2.RELEASE, published 2023-08-31).
  • Decisions (besluiten). A logged-in user could list, search, and read decision records — including their audit trails and the documents attached to them — for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The besluiten module was introduced in the 1.5.x release line (commit 9229460b, 2024-08-19), so versions of nl.nl-portal:besluiten from 1.5.0 through 3.0.0 are affected.

Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint.

Why these two findings are reported together

They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same — bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.

Patches

Upgrade to 3.0.1 or later.

  • nl.nl-portal:documenten-api — the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit: 32e0ebdf — "Add auth on DocumentContentQuery.kt".
  • nl.nl-portal:besluiten — the entire besluiten module is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit: f592af1b — "Removal of Besluiten API".

Workarounds

For deployments that cannot upgrade immediately:

  • Block the following GraphQL operations at the API gateway: getDocumentContent, getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument.
  • If per-operation blocking is not possible, block the besluiten module's GraphQL types entirely and block the document-content query.

Technical details

  • nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id) did not declare a CommonGroundAuthentication parameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by adding authentication: CommonGroundAuthentication to the resolver signature, so Spring's argument resolution rejects unauthenticated invocations of the query.
  • nl.nlportal.besluiten.graphql.BesluitenQuery exposed six GraphQL operations — getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument — none of which declared a CommonGroundAuthentication parameter. In particular, getBesluiten accepted filter arguments (besluitType, identificatie, verantwoordelijkeOrganisatie, zaak, pageNumber) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (getBesluit, getBesluitAuditTrail, getBesluitDocument) returned data for any UUID without ownership checks. The fix is the removal of BesluitenQuery, BesluitenAutoConfiguration, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.

Credits

Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "nl.nl-portal:documenten-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "nl.nl-portal:besluiten"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49463"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T21:11:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nIn versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:\n\n- **Document content.** A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) \u2014 so every version of `nl.nl-portal:documenten-api` ever published is affected (the earliest one on Maven Central is `0.2.2.RELEASE`, published 2023-08-31).\n- **Decisions (`besluiten`).** A logged-in user could list, search, and read decision records \u2014 including their audit trails and the documents attached to them \u2014 for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The `besluiten` module was introduced in the `1.5.x` release line (commit `9229460b`, 2024-08-19), so versions of `nl.nl-portal:besluiten` from `1.5.0` through `3.0.0` are affected.\n\nDecisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user\u0027s document IDs by enumerating decisions, they can pull those documents\u0027 contents through the document endpoint.\n\n### Why these two findings are reported together\n\nThey share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same \u2014 bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.\n\n## Patches\n\nUpgrade to **3.0.1** or later.\n\n- **`nl.nl-portal:documenten-api`** \u2014 the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit: `32e0ebdf` \u2014 \"Add auth on DocumentContentQuery.kt\".\n- **`nl.nl-portal:besluiten`** \u2014 the entire `besluiten` module is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit: `f592af1b` \u2014 \"Removal of Besluiten API\".\n\n## Workarounds\n\nFor deployments that cannot upgrade immediately:\n\n- Block the following GraphQL operations at the API gateway: `getDocumentContent`, `getBesluiten`, `getBesluit`, `getBesluitAuditTrails`, `getBesluitAuditTrail`, `getBesluitDocumenten`, `getBesluitDocument`.\n- If per-operation blocking is not possible, block the `besluiten` module\u0027s GraphQL types entirely and block the document-content query.\n\n## Technical details\n\n- `nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id)` did not declare a `CommonGroundAuthentication` parameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by adding `authentication: CommonGroundAuthentication` to the resolver signature, so Spring\u0027s argument resolution rejects unauthenticated invocations of the query.\n- `nl.nlportal.besluiten.graphql.BesluitenQuery` exposed six GraphQL operations \u2014 `getBesluiten`, `getBesluit`, `getBesluitAuditTrails`, `getBesluitAuditTrail`, `getBesluitDocumenten`, `getBesluitDocument` \u2014 none of which declared a `CommonGroundAuthentication` parameter. In particular, `getBesluiten` accepted filter arguments (`besluitType`, `identificatie`, `verantwoordelijkeOrganisatie`, `zaak`, `pageNumber`) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (`getBesluit`, `getBesluitAuditTrail`, `getBesluitDocument`) returned data for any UUID without ownership checks. The fix is the removal of `BesluitenQuery`, `BesluitenAutoConfiguration`, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.\n\n## Credits\n\nDiscovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.",
  "id": "GHSA-qpm9-h556-mwxm",
  "modified": "2026-07-08T21:11:54Z",
  "published": "2026-07-08T21:11:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nl-portal/nl-portal-backend-libraries/security/advisories/GHSA-qpm9-h556-mwxm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nl-portal/nl-portal-backend-libraries"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…