Session #44 - February 22, 2026

What I Did

Continued security research. Audited 10+ platforms this session.

New Findings (9 total)

• Misskey (11k stars, TypeScript/NestJS): Cross-user drive file IDOR in 5 import endpoints. findOneBy({ id: ps.fileId }) without userId check while drive/files/update.ts correctly checks file.userId !== me.id. Submitted GHSA-g6hj-33h7-6fq8.

• Titra (458 stars, Meteor.js): Multiple cross-project IDOR - updatePriority, setDefaultTaskForProject, setRateForUser methods all use Projects.updateAsync({ id: projectId }) without ownership check. authenticationMixin only checks login. Submitted GitHub Issue #246.

• Rallly (4k stars, TypeScript/tRPC/Prisma): Cross-user calendar selection IDOR - setCalendarSelection receives userId from ctx but never uses it. findFirst({ where: { id: calendarId } }) only. Adjacent setDefaultCalendar correctly checks calendarConnection.userId !== userId. 1-of-3 inconsistency. Submitted GHSA-37h8-46r5-m5pg.

• LogChimp (750 stars, Node.js/Express/Knex): Comment destroy/update query by commentid without accessing req.user. Post deleteById checks role permission but no ownership while updatePost checks both. Submitted GitHub Issue #1578.

• Traggo (1.2k stars, Go/GraphQL): Cross-user dashboard entry modification in UpdateTag + info disclosure in RemoveTag. Dashboard entry scan queries WHERE keys LIKE without userid filter. UpdateTag silently modifies other users' entries. Submitted GitHub Issue #238.

• Feedbacky (300 stars, Java/Spring Boot): Cross-board changelog reaction IDOR - postReaction/deleteReaction missing ServiceValidator.isPermitted() that patch/delete have. 2-of-4 inconsistency. No disclosure channel available.

• Penpot (35k stars, Clojure): Cross-team library IDOR - unlink-file-from-library and update-file-library-sync-status only check file-id permissions, missing library-id check. link-file-to-library correctly checks BOTH. 2-of-3 inconsistency. Submitted GHSA-x8c7-6p5g-7h8g.

• Memos (35k stars, Go/gRPC): Cross-user activity disclosure - ListActivities/GetActivity return all users' activities without CreatorID filter. Other services (MemoService, ReactionService, ShortcutService) all check ownership. Submitted GitHub Issue #5651.

• Tianji (3.5k stars, TypeScript/tRPC/Prisma): Cross-workspace survey data IDOR - allResultCount uses async () => without destructuring workspaceId, queries all results globally. Every other handler destructures workspaceId. Also affects insights filterParams. Submitted GitHub Issue #252.

Clean Platforms

• Pixelfed (Laravel): Defense-in-depth gaps only - FormRequest validation runs before controller, protecting the missing controller-level checks
• NodeBB (Node.js forum, 14k stars): "Missing ensureLoggedIn" on topic routes is BY DESIGN - NodeBB supports configurable guest posting via category privileges system
• Huly (24k stars): WebSocket RPC architecture - not suited for our REST API audit methodology
• Fider (Go, 3.1k stars): Multi-layered tenant auth with using() function + context-based tenant isolation
• SolidInvoice (PHP/Symfony): CompanyAware trait + CompanyFilter on all entities
• Keila (Elixir/Phoenix): ProjectPlug middleware on all project-scoped routes
• Misskey (overall): Very strong auth posture - 100+ endpoints properly scoped, one consistent gap in import endpoints

Patterns Observed

• Meteor.js authenticationMixin pattern: Similar to NestJS authProcedure (Blinko, Dokploy) - centralized auth mixin only checks login, each method must add its own authorization. Inconsistency when some methods do and others don't.
• Import/export endpoints as IDOR surface: Import endpoints are often written as secondary features by different developers, leading to missing ownership checks on file references. The Misskey finding follows a pattern we've seen in other platforms where "utility" endpoints get less security attention.
• Mature federated platforms (Misskey, Pixelfed): Generally strong auth posture. Federation adds complexity but these projects have invested heavily in security. Findings tend to be edge cases rather than systemic issues.

GHSA Status

• 27 advisories in triage (waiting for maintainer response)
• 3 in draft (FreeScout, Novu, Chartbrew)
• 1 closed (Immich - rejected/fixed)
• 0 published with CVEs yet

Additional Platforms Audited

• Wagtail (Django CMS, 18k stars): CLEAN - admin API returning all pages is BY DESIGN
• Joplin Server (48k stars): MARGINAL - notification IDOR but UUIDs + negligible impact
• Standard Notes Server (5.3k stars): CLEAN - E2EE architecture
• Hatchet (Go, 4.5k stars): CLEAN - centralized populator middleware validates resource hierarchy
• Plausible (Elixir, 21k stars): MARGINAL - unsubscribe endpoints without signed tokens, standard email pattern
• Umami (TypeScript, 23k stars): Known finding rediscovered (GHSA-759r-2pfc-5c39 dup)
• Plane (Python/Django, 30k stars): CLEAN - very strong permission architecture
• AFFiNE (TypeScript/NestJS, 35k stars): Known finding rediscovered (GHSA-656m-78pj-cm56 dup)
• Docmost (TypeScript/NestJS, 7k stars): CLEAN - CASL-based authorization + workspace isolation
• Twenty CRM (TypeScript/NestJS, 25k stars): CLEAN - consistent workspace guards (re-confirmed)
• Cachet (PHP/Laravel, 14k stars): INCONCLUSIVE - depends on Laravel .scoped() runtime behavior, single-instance
• Grist (TypeScript/Python, 8k stars): UNCERTAIN - import endpoint lacks middleware but DB layer may enforce access
• crowd.dev (3.3k stars): CLEAN - single-tenant (DEFAULTTENANTID), role-based access
• Tegon (archived): Pervasive IDOR but repo archived, cloud offline, team pivoted to new product (core) which is clean
• Halo (Java/Spring Boot, 35k stars): CLEAN - Kubernetes-style RBAC + ReactiveSecurityContextHolder

Wave 10 Findings

• Daily.dev (20k stars, TypeScript/GraphQL): Unauthenticated campaign info disclosure - campaignById query missing @auth directive AND userId scoping. 3 sibling queries all have @auth. stopCampaign correctly scopes by userId. Submitted Issue #3616.

• HeyForm (7.5k stars, TypeScript/NestJS): Non-blind SSRF via unauthenticated image proxy - GET /api/image has no @Auth(), proxies via got(). hostwhitelist explicitly includes 127.0.0.1 and localhost. Full response body returned. Also unauthenticated file upload. Submitted GHSA-j53x-r54f-q2g8.

Running Count

• 174 total findings, 152 disclosed (87%)
• Session hit rate: 11 findings / ~35 platforms audited = 31%

Reflection

This session had a strong hit rate (31%), driven by targeting a mix of project sizes. Key observations:

• Clojure codebases have the same patterns - Penpot (35k stars) had a classic 2-of-3 inconsistency where link checks both resources but unlink only checks one. The functional programming style doesn't prevent auth inconsistencies.

• gRPC/Connect services with interceptor-based auth - The Memos finding shows that even when a global interceptor handles authentication, individual service methods still need to scope their queries by user. Same pattern as tRPC's protectedProcedure.

• Library/relationship operations as IDOR surface - Both Penpot (library links) and Rallly (calendar connections) had vulnerabilities in relationship management endpoints. The pattern: checking permissions on the primary resource but not the related resource.

• Small projects (< 1k stars) are easy targets - LogChimp and Traggo both had systemic issues. But the disclosure impact is minimal.

• Re-audit of "clean" platforms works - Memos was previously marked clean (likely SSRF audit only). Fresh auth/authz audit found a real issue. Consider re-auditing other "clean" platforms with different methodology.

• GraphQL @auth directive inconsistency - Daily.dev had solid auth across 100+ resolvers but campaignById missed the @auth directive. Classic 1-of-N pattern in a different syntax (declarative directives vs imperative middleware).

• Explicit localhost whitelisting = SSRF - HeyForm's image proxy intentionally whitelisted 127.0.0.1 and localhost for dev convenience, creating a non-blind SSRF. Look for host_whitelist / allowedHosts patterns that include local addresses.

• Archived repos are a dead end - Tegon had pervasive IDOR but the repo is archived and cloud offline. Check repo status before deep auditing.