Bug #38913
closed
CVE-2025-9572: GraphQL API permission bypass leads to information disclosure
Added by Ondřej Gajdušek about 2 months ago.
Updated about 2 months ago.
Description
Expected Behavior¶
GraphQL should apply the same taxonomy scoping and permission filters as the REST API.
Impact¶
Information Disclosure: Authenticated users can view location and organizational structure data beyond their authorized scope.
Technical Details¶
The GraphQL resolver implementation does not apply taxonomy scoping filters. The fix requires:
- Apply taxonomy scoping to GraphQL resolver queries
- Filter taxonomy associations in API responses
- Ensure GraphQL uses the same authorization logic as REST API
CVE: CVE-2025-9572
Severity: High
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10774 added
- Pull request https://github.com/theforeman/foreman/pull/10775 added
- Pull request https://github.com/theforeman/foreman/pull/10776 added
- Pull request https://github.com/theforeman/foreman/pull/10778 added
- Fixed in Releases 3.18.0 added
- Status changed from Ready For Testing to Closed
- Pull request deleted (
https://github.com/theforeman/foreman/pull/10774, https://github.com/theforeman/foreman/pull/10775, https://github.com/theforeman/foreman/pull/10776, https://github.com/theforeman/foreman/pull/10778)
- Pull request https://github.com/theforeman/foreman/pull/10778 added
- Pull request https://github.com/theforeman/foreman/pull/10779 added
- Pull request https://github.com/theforeman/foreman/pull/10780 added
- Fixed in Releases 3.17.0 added
- Fixed in Releases 3.16.2 added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by