DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5Q8V-J673-M5V4: GHSA-5Q8V-J673-M5V4: Insecure Direct Object Reference and Authorization Bypass in Firefly III API

#security #cve #cybersecurity #ghsa

GHSA-5Q8V-J673-M5V4: Insecure Direct Object Reference and Authorization Bypass in Firefly III API

Vulnerability ID: GHSA-5Q8V-J673-M5V4
CVSS Score: 5.7
Published: 2026-03-07

Firefly III versions 6.4.23 through 6.5.0 contain an Insecure Direct Object Reference (IDOR) vulnerability within the user management API endpoints. The application fails to validate role-based access controls on specific API routes, allowing any authenticated user to enumerate and read the sensitive details of all registered accounts on the system.

TL;DR

Missing authorization checks in the Firefly III UserController allow low-privileged authenticated users to access sensitive data (emails, roles, account status) of all other users via the API.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-5Q8V-J673-M5V4
  • CWE ID: CWE-863 (Incorrect Authorization)
  • CVSS v4.0 Score: 5.7 (Medium)
  • Attack Vector: Network (Authenticated API Request)
  • Exploit Status: Proof of Concept Available
  • Impact: High Data Confidentiality (Information Disclosure)

Affected Systems

  • Firefly III API
  • grumpydictator/firefly-iii (Packagist ecosystem)
  • Firefly III: >= 6.4.23, <= 6.5.0 (Fixed in: 6.5.1)

Code Analysis

Commit: 26c6985

Implemented owner role checks in UserController index and show methods to resolve API IDOR.

Exploit Details

  • General Advisory: Advisory details cURL payload used to enumerate the user list via API.

Mitigation Strategies

  • Upgrade Firefly III to version 6.5.1
  • Implement WAF rules to restrict access to /api/v1/users based on IP allowlisting
  • Apply intermediate owner middleware to the user management API route group

Remediation Steps:

  1. Verify the current version of Firefly III deployed in the environment.
  2. Execute the standard upgrade procedure utilizing Composer: composer update grumpydictator/firefly-iii.
  3. Validate the update by attempting to access /api/v1/users with a standard, non-owner user token.
  4. Audit application access logs for indicators of prior enumeration.

References

Read the full report for GHSA-5Q8V-J673-M5V4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)