-
fix UI privilege escalation vulnerability
kyle released this
2026-03-13 04:59:02 +00:00 | 49 commits to master since this release- Add requireAdminRole middleware to web UI that checks
claims.HasRole("admin") and returns 403 if absent - Apply middleware to all admin routes (accounts, policies,
audit, dashboard, credentials) - Remove redundant inline admin check from handleAdminResetPassword
- Profile routes correctly require only authentication, not admin
Security: The admin/adminGet middleware wrappers only called
requireCookieAuth (JWT validation) but never verified the admin
role. Any authenticated user could access admin endpoints
including role assignment. Fixed by inserting requireAdminRole
into the middleware chain for all admin routes.Downloads
- Add requireAdminRole middleware to web UI that checks