Vulnerability-Lookup

CVE-2026-33541 (GCVE-0-2026-33541)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:27 – Updated: 2026-03-27 20:01

Title

TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service

Summary

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption
CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/miraheze/TSPortal/security/adv…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
miraheze	TSPortal	Affected: < 34

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33541",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T19:52:08.746386Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:01:35.174Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TSPortal",
          "vendor": "miraheze",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 34"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:27:05.840Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"
        }
      ],
      "source": {
        "advisory": "GHSA-f346-8rp3-4h9h",
        "discovery": "UNKNOWN"
      },
      "title": "TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33541",
    "datePublished": "2026-03-26T20:27:05.840Z",
    "dateReserved": "2026-03-20T18:05:11.832Z",
    "dateUpdated": "2026-03-27T20:01:35.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33541",
      "date": "2026-05-25",
      "epss": "0.00057",
      "percentile": "0.1768"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33541\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T21:17:05.867\",\"lastModified\":\"2026-04-03T20:20:56.697\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.\"},{\"lang\":\"es\",\"value\":\"TSPortal es la plataforma interna de la Fundaci\u00f3n WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y trabajo de transparencia. Antes de la versi\u00f3n 34, una falla en TSPortal permit\u00eda a los atacantes crear registros de usuario arbitrarios en la base de datos al abusar de la l\u00f3gica de validaci\u00f3n. Si bien la validaci\u00f3n rechazaba correctamente los nombres de usuario no v\u00e1lidos, un efecto secundario dentro de una regla de validaci\u00f3n provocaba que se crearan registros de usuario independientemente de si la solicitud ten\u00eda \u00e9xito. Esto podr\u00eda ser explotado para causar un crecimiento descontrolado de la base de datos, lo que llevar\u00eda a una potencial denegaci\u00f3n de servicio (DoS). La versi\u00f3n 34 contiene una soluci\u00f3n para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"34\",\"matchCriteriaId\":\"4EB3C2C4-36B0-46DD-8B37-3F93629BAC0C\"}]}]}],\"references\":[{\"url\":\"https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33541\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T19:52:08.746386Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T19:52:12.106Z\"}}], \"cna\": {\"title\": \"TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service\", \"source\": {\"advisory\": \"GHSA-f346-8rp3-4h9h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"miraheze\", \"product\": \"TSPortal\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 34\"}]}], \"references\": [{\"url\": \"https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h\", \"name\": \"https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TSPortal is the WikiTide Foundation\\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:27:05.840Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33541\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:01:35.174Z\", \"dateReserved\": \"2026-03-20T18:05:11.832Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T20:27:05.840Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33541

Vulnerability from fkie_nvd - Published: 2026-03-26 21:17 - Updated: 2026-04-03 20:20

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wikitide	tsportal	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wikitide:tsportal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EB3C2C4-36B0-46DD-8B37-3F93629BAC0C",
              "versionEndExcluding": "34",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "TSPortal is the WikiTide Foundation\u2019s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS). Version 34 contains a fix for the issue."
    },
    {
      "lang": "es",
      "value": "TSPortal es la plataforma interna de la Fundaci\u00f3n WikiTide utilizada por el equipo de Confianza y Seguridad para gestionar informes, investigaciones, apelaciones y trabajo de transparencia. Antes de la versi\u00f3n 34, una falla en TSPortal permit\u00eda a los atacantes crear registros de usuario arbitrarios en la base de datos al abusar de la l\u00f3gica de validaci\u00f3n. Si bien la validaci\u00f3n rechazaba correctamente los nombres de usuario no v\u00e1lidos, un efecto secundario dentro de una regla de validaci\u00f3n provocaba que se crearan registros de usuario independientemente de si la solicitud ten\u00eda \u00e9xito. Esto podr\u00eda ser explotado para causar un crecimiento descontrolado de la base de datos, lo que llevar\u00eda a una potencial denegaci\u00f3n de servicio (DoS). La versi\u00f3n 34 contiene una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2026-33541",
  "lastModified": "2026-04-03T20:20:56.697",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T21:17:05.867",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        },
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-F346-8RP3-4H9H

Vulnerability from github – Published: 2026-03-27 15:42 – Updated: 2026-03-27 15:42

Summary

TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service

Details

Summary

A flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS).

Details

When submitting a Data Processing Agreement (DPA) request in TSPortal, the DPAAlreadyLive validation rule previously called User::findOrCreate().

This method created a user record if one did not already exist.

Although username validation (via MirahezeUsernameRule) correctly rejected invalid usernames, the DPAAlreadyLive rule was still executed during validation. Because it performed a state-changing operation, it created user records even when the overall validation failed and no DPA was created.

As a result: - Validation correctly rejected invalid input - However, user records were still inserted into the database as a side effect

These records were created: - Without a successful DPA request - Without audit logging tied to a completed action - Without visibility into their origin

Impact

An attacker could exploit this behavior by automating requests with invalid usernames, resulting in:

Mass creation of arbitrary user records
Unbounded database growth
Increased storage and indexing overhead
Potential degradation of application performance

At scale, this could lead to a denial of service condition due to resource exhaustion.

Proof of Concept

Submit a DPA request using an invalid username
Ensure the request fails validation due to MirahezeUsernameRule
Observe that a corresponding user record is still created in the database

This behavior was confirmed prior to remediation.

Root Cause

The issue stemmed from: - Performing state-changing operations (findOrCreate) inside validation logic - Validation rules executing regardless of overall validation success - Lack of separation between validation and persistence layers

Mitigation

The issue has been fixed by removing database write operations from validation logic.

Specifically: - Replaced User::findOrCreate() with a non-mutating lookup (User::firstWhere(...)) - Ensured validation rules only perform read operations - Prevented user creation unless all validation passes

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 33"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "miraheze/ts-portal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T15:42:20Z",
    "nvd_published_at": "2026-03-26T21:17:05Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded. This could be exploited to cause uncontrolled database growth, leading to a potential denial of service (DoS).\n\n### Details\nWhen submitting a Data Processing Agreement (DPA) request in TSPortal, the `DPAAlreadyLive` validation rule previously called `User::findOrCreate()`.\n\nThis method created a user record if one did not already exist.\n\nAlthough username validation (via `MirahezeUsernameRule`) correctly rejected invalid usernames, the `DPAAlreadyLive` rule was still executed during validation. Because it performed a state-changing operation, it created user records even when the overall validation failed and no DPA was created.\n\nAs a result:\n- Validation correctly rejected invalid input\n- However, user records were still inserted into the database as a side effect\n\nThese records were created:\n- Without a successful DPA request\n- Without audit logging tied to a completed action\n- Without visibility into their origin\n\n### Impact\nAn attacker could exploit this behavior by automating requests with invalid usernames, resulting in:\n\n- Mass creation of arbitrary user records\n- Unbounded database growth\n- Increased storage and indexing overhead\n- Potential degradation of application performance\n\nAt scale, this could lead to a denial of service condition due to resource exhaustion.\n\n### Proof of Concept\n1. Submit a DPA request using an invalid username\n2. Ensure the request fails validation due to `MirahezeUsernameRule`\n3. Observe that a corresponding user record is still created in the database\n\nThis behavior was confirmed prior to remediation.\n\n### Root Cause\nThe issue stemmed from:\n- Performing state-changing operations (`findOrCreate`) inside validation logic\n- Validation rules executing regardless of overall validation success\n- Lack of separation between validation and persistence layers\n\n### Mitigation\nThe issue has been fixed by removing database write operations from validation logic.\n\nSpecifically:\n- Replaced `User::findOrCreate()` with a non-mutating lookup (`User::firstWhere(...)`)\n- Ensured validation rules only perform read operations\n- Prevented user creation unless all validation passes",
  "id": "GHSA-f346-8rp3-4h9h",
  "modified": "2026-03-27T15:42:20Z",
  "published": "2026-03-27T15:42:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/miraheze/TSPortal/security/advisories/GHSA-f346-8rp3-4h9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33541"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/miraheze/TSPortal"
    },
    {
      "type": "WEB",
      "url": "https://issue-tracker.miraheze.org/T15115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TSPortal\u0027s Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33541 (GCVE-0-2026-33541)

FKIE_CVE-2026-33541

GHSA-F346-8RP3-4H9H

Summary

Details

Impact

Proof of Concept

Root Cause

Mitigation

Tags

Sightings

Nomenclature