You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: POST /api/contactpersonen/{id}/disable is @NoAdminRequired with zero service-level authorisation. Any authenticated user can disable any account by ID, including the admin account. Combined with C2 (privilege escalation) this creates a permanent admin lockout: escalate to super-user, disable admin, take over the instance.
Scenario:
POST /api/contactpersonen/<admin-contact-id>/disable
Sent as any authenticated user → admin account disabled → permanent lockout.
Suggested fix:
Gate with admin or org-admin check.
Verify that the caller has authority over the target contact's organisation before allowing disable.
Severity: CRITICAL
Location:
lib/Controller/ContactpersonenController.phplines 1022–1113;lib/Service/ContactpersoonService.phplines 1273–1404Description:
POST /api/contactpersonen/{id}/disableis@NoAdminRequiredwith zero service-level authorisation. Any authenticated user can disable any account by ID, including the admin account. Combined with C2 (privilege escalation) this creates a permanent admin lockout: escalate to super-user, disable admin, take over the instance.Scenario:
Sent as any authenticated user → admin account disabled → permanent lockout.
Suggested fix:
Source: deep team-reviewer pass 2026-05-27