GHSA-9GJV-JVM7-VV2V: GHSA-9GJV-JVM7-VV2V: Improper Access Control Exposes Private Sub-Object Data in Gramps Web API

#security #cve #cybersecurity #ghsa

GHSA-9GJV-JVM7-VV2V: Improper Access Control Exposes Private Sub-Object Data in Gramps Web API

Vulnerability ID: GHSA-9GJV-JVM7-VV2V
CVSS Score: 4.3
Published: 2026-04-09

The Gramps Web API (gramps-webapi) contains an access control flaw in its data serialization layer that fails to properly filter nested objects. Authenticated users with the lowest privilege level (Guest) can retrieve sub-objects explicitly marked as private by the database owner, leading to unauthorized disclosure of sensitive personal data.

TL;DR

Gramps Web API versions prior to 3.11.0 expose private sub-objects (addresses, notes, media) to unauthorized Guest users via API list endpoints due to missing serialization filters.

Technical Details

CWE ID: CWE-200, CWE-284
Attack Vector: Network (Authenticated API Request)
Privileges Required: Low (Guest Role)
Impact: Confidentiality Loss (Moderate)
Exploit Maturity: Unverified
CVSS v3.1 Base Score: 4.3

Affected Systems

gramps-web-api (pip package)
Gramps Web instances running backend API < v3.11.0
gramps-webapi: < 3.11.0 (Fixed in: 3.11.0)

Mitigation Strategies

Upgrade gramps-webapi package to version 3.11.0 or newer.
Revoke Guest role access for unverified or untrusted accounts if immediate patching is not possible.
Implement strict role-based access control (RBAC) audits to ensure users have the absolute minimum required privileges.

Remediation Steps:

Access the server or container hosting the Gramps Web backend.
Update the Python package manager: run pip install --upgrade gramps-webapi or pull the updated v3.11.0 Docker image.
Restart the application server or container to ensure the new serialization logic is loaded into memory.
Authenticate as a Guest user and perform an API query against a known record containing private sub-objects to verify they are properly redacted.