Actions
Bug #38913
closed
CVE-2025-9572: GraphQL API permission bypass leads to information disclosure
Difficulty:
Triaged:
No
Description
Expected Behavior¶
GraphQL should apply the same taxonomy scoping and permission filters as the REST API.
Impact¶
Information Disclosure: Authenticated users can view location and organizational structure data beyond their authorized scope.
Technical Details¶
The GraphQL resolver implementation does not apply taxonomy scoping filters. The fix requires:- Apply taxonomy scoping to GraphQL resolver queries
- Filter taxonomy associations in API responses
- Ensure GraphQL uses the same authorization logic as REST API
CVE: CVE-2025-9572
Severity: High
Updated by The Foreman Bot 15 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10774 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10775 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10776 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10778 added
Updated by Adam Ruzicka 15 days ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|38ab97fcda1dafa1cfa4a70f3a61d0e6fe04059b.
Updated by The Foreman Bot 15 days ago
- Pull request deleted (
https://github.com/theforeman/foreman/pull/10774, https://github.com/theforeman/foreman/pull/10775, https://github.com/theforeman/foreman/pull/10776, https://github.com/theforeman/foreman/pull/10778)
Updated by Oleh Fedorenko 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10778 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10779 added
Updated by The Foreman Bot 15 days ago
- Pull request https://github.com/theforeman/foreman/pull/10780 added
Actions