Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[HIGH] H3: streamProgress SSE — unauthenticated IDOR with wildcard CORS #335

Description

@rubenvdlinde

Severity: HIGH

Location: lib/Controller/SettingsController.php lines 1237–1330 (streamProgress)

Description:
The streamProgress SSE endpoint is missing the user-null check present in its sibling getProgress. It also sets Access-Control-Allow-Origin: *, making it subscribable from any cross-origin page. Any unauthenticated or cross-origin request can subscribe to any operationId and receive real-time progress updates for another user's import/sync operation.

Scenario:

  1. Attacker tricks admin into visiting a malicious page while the admin runs a large import.
  2. The page subscribes to the SSE stream with the operation ID (discoverable or brute-forced).
  3. Real-time progress data (file names, counts, error messages) streams to the attacker.

Suggested fix:

  • Authenticate the request and return 401 if user is null.
  • Bind operationId to the authenticated user so that cross-user subscriptions are rejected.
  • Remove the wildcard Access-Control-Allow-Origin: * header.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions