3 matches found
PT-2026-42634
Summary The OAuth token strategy attached oauth scope and oauth granted resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope e.g. MCP-only therefore inherited the full permissions of the underlying user across all routes; the...
PT-2026-42675
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.04.1 Description The OAuth token strategy attaches oauth scope and oauth granted resources to the request user, but the ACL Access Control List middleware fails to consult these values. Consequently, an OAuth toke...
Privilege Escalation
sentry is vulnerable to Privilege Escalation. An authenticated attacker is able to take advantage of an access token with a restricted scope by requesting a list of all user-created tokens, including those with wider scopes from the /api/0/api-tokens/ endpoint, resulting in privilege escalation...