appsec.fyi

Authorization / Broken Access Control Resources

Post Share

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Authorization / Broken Access Control

Authorization vulnerabilities occur when applications fail to properly enforce access controls, allowing users to perform actions or access resources beyond their intended permissions. Broken Access Control consistently ranks as the #1 risk in the OWASP Top 10, encompassing issues like privilege escalation (both vertical and horizontal), missing function-level access controls, and insecure direct object references at the authorization layer. Unlike authentication (verifying who you are), authorization determines what you are allowed to do — and flaws here can expose entire administrative interfaces, allow users to modify other accounts, or grant elevated privileges through parameter tampering, forced browsing, or JWT manipulation. Modern applications with complex role hierarchies, microservice architectures, and API-first designs face particular challenges in maintaining consistent authorization checks across every endpoint and resource.

Read the AuthZ guideA long-form, source-cited deep dive synthesized from every resource below. The comprehensive AuthZ guide on chs.usA hand-written, in-depth practitioner guide — attacks, testing, and prevention.
Date Added Link Excerpt
2026-07-09 NEW 2026GhostApproval: A Trust Boundary Gap in AI Coding Assistants advanced 10 min read AILibrary addressing GhostApproval, a trust boundary gap in AI coding assistants, where symlink following (CWE-61) combined with UI misrepresentation (CWE-451) allows malicious repositories to trick agents like Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf into writing to arbitrary files outside the sandbox, potentially leading to remote code execution. → wiz.io
2026-07-08 NEW 2026BadSuccessor — Exploiting delegated Managed Service Accounts in Windows Server 2025 advanced 8 min readLibrary for exploiting delegated Managed Service Accounts (dMSAs) in Windows Server 2025, detailing the "BadSuccessor" vulnerability. This flaw arises from missing permission checks, allowing low-level users with `CreateChild` rights on an OU to create a dMSA and link it to a privileged account. The system then incorrectly grants the dMSA all of the predecessor's permissions during Kerberos ticket issuance, enabling privilege escalation to high-level administrative roles. → infosecwriteups.com
2026-07-07 NEW 2026How I Found a Data Deletion Bypass via Subdomain Synchronization intermediate 4 min read Bug BountyWriteup detailing a business logic vulnerability in a self-hosted bug bounty program. The author discovered a data deletion bypass by exploiting a synchronization flaw between two subdomains, `account.redacted.com` and `todo.redacted.com`. A user with a Moderator role, who should not have deletion privileges, could delete an entire organizational group by leveraging the application's unchecked data exchange, causing a cascade deletion across both subdomains. This finding highlights the importance of proper authorization enforcement and understanding application workflows, even without complex tools or techniques. → infosecwriteups.com
2026-07-07 NEW 2026Mass Assignment and the Identity Drift: From Profile Edit to Insurance Takeover intermediate 7 min read Bug BountyWriteup detailing Mass Assignment and identity drift, where an application erroneously allows users to update sensitive identity fields like legal name and date of birth through an edit profile endpoint. This vulnerability, when combined with a verified account status, enables "identity drift," allowing an attacker to manipulate their profile to match a legitimate individual. The writeup then demonstrates a second-order impact: successfully linking a victim's insurance or benefit record to the attacker's account by exploiting the modified identity fields used in the linking process. → infosecwriteups.com
2026-07-06 NEW 2026I Found an Unauthenticated Attachment Disclosure Bug in a WordPress Support Plugin — and a… intermediate 8 min readWriteup detailing an unauthenticated attachment disclosure vulnerability in a WordPress support plugin. The research, conducted in an isolated Docker environment, reveals that a specific REST API endpoint lacks proper authorization checks, allowing anonymous users to access sensitive customer attachments like invoices and personal records. The author validates the vulnerability through proof-of-concept requests and MD5 hash comparisons, highlighting the potential for widespread data exfiltration. → infosecwriteups.com
2026-07-06 NEW 2026Mr Robot CTF Walkthrough -TryHackMe Detailed intermediate 8 min read Bug Bounty ReconWriteup detailing the Mr Robot CTF on TryHackMe, covering initial access through root. This guide explains web enumeration via robots.txt and Gobuster, WordPress login bypass using source code analysis, reverse shell establishment through the theme editor, and Linux privilege escalation via SUID abuse of the Nmap binary. → infosecwriteups.com
2026-07-04 2026Certified AD Red Team Specialist (AD-RTS): Full Exam Write-Up intermediate 13 min read AuthNWriteup detailing a full methodology for the Certified AD Red Team Specialist (AD-RTS) exam, covering two distinct adversary paths. Path 1 begins with zero credentials and involves DNS zone transfers for enumeration, ASREPRoasting via GetNPUsers to gain SQL Server access, privilege escalation with GodPotato to SYSTEM, and credential harvesting using MiniDump. This leads to abusing AD Certificate Services (ADCS) via ESC1, leveraging certipy-ad, to request a certificate impersonating Domain Admin. Path 2 focuses on escalating from a low-privilege foothold on a public-facing web server. → infosecwriteups.com
2026-07-04 2026Post-Compromise Attacks in AD: Credential Validation with CrackMapExec intermediate 2 min read AuthNWriteup detailing post-compromise Active Directory attacks, focusing on credential validation using CrackMapExec. The article demonstrates using a compromised domain user credential, obtained via LLMNR poisoning, to authenticate against other machines on the network. It covers using CrackMapExec to check credentials, dump local SAM hashes, and leverage the Impacket suite (secretsdump, psexec.py) for further access, along with a brief mention of hash cracking with Hashcat. → infosecwriteups.com
2026-07-04 2026Host & Network Penetration Testing: Exploitation CTF 2 — eJPT (INE) intermediate 3 min read AuthNWalkthrough of eJPT Exploitation CTF 2, chaining SMB brute-forcing for user tom's weak password to obtain leaked hashes, then performing a Pass-the-Hash attack against user nancy. These credentials lead to FTP access for user david, revealing flag3.txt and enabling an ASPX webshell upload to retrieve flag4.txt. → infosecwriteups.com
2026-07-04 2026Exploiting Resource-Based Constrained Delegation (RBCD) intermediate 8 min readWriteup on exploiting Resource-Based Constrained Delegation (RBCD) to achieve full Computer Account takeover. The article details how RBCD, introduced in Windows Server 2012, flips the trust direction from outgoing to incoming, allowing any account with write permissions on a computer object to modify its `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute. This vulnerability can be exploited by creating a new computer account (Service A) with an SPN, obtaining a non-forwardable Kerberos ticket via S4U2Self, and then using RBCD to impersonate users to a target resource (Service B) via S4U2Proxy. → infosecwriteups.com
2026-07-02 2026Privilege escalation to root in Lima QEMU guests via a world-writable agent socket (CVE-2026-53657) intermediate 7 min readWriteup detailing CVE-2026-53657, a privilege escalation vulnerability in Lima's QEMU guest agent. An unprivileged user within a QEMU guest could exploit a world-writable, root-owned socket to execute commands as root due to a lack of authentication on the agent's gRPC API and a forwarding RPC. This vulnerability only affects the QEMU driver, not the default VZ driver. Lima v2.1.3 addresses this by restricting socket permissions and ownership.
2026-07-02 2026Auditing OpenReception: 16 CVEs in an end-to-end encrypted appointment booking platform (unauthenticated admin creation, account takeover, E2E bypass) intermediate 8 min read API Sec AuthNAnalysis of OpenReception reveals sixteen CVEs, including four critical vulnerabilities. Tenant administrators can self-promote to GLOBAL_ADMIN (CVE-2026-48086), and unauthenticated users can create GLOBAL_ADMIN accounts after initial setup (CVE-2026-48085). WebAuthn passkey injection allows account takeover by linking a passkey to a victim's account (CVE-2026-48087). The platform's end-to-end encryption is defeated by staff crypto poisoning, enabling silent decryption of bookings (CVE-2026-48088).
2026-07-02 2026Auth Bypass is it? intermediate API Sec AuthNWriteup details a bypass of an MSPACE-style auto-login feature where the backend accepted a fake inner MSPACE token within an encrypted JSON request body, despite a valid outer API bearer token being present. This vulnerability was discovered by observing client-side encrypted API flows and testing how the application handled decrypted data originating from the browser. → infosecwriteups.com
2026-07-02 2026Why Being in the Docker Group Is a Backdoor to Your Whole System intermediate RCEWriteup demonstrating how membership in the `docker` group grants root access on Linux hosts, bypassing the need for `sudo`. This is not an exploit, but a design consequence of Docker, allowing users to manage containers but also effectively gain full host control through mounted volumes and privileged container operations. Administrators should avoid adding users to the `docker` group on shared or production systems. → infosecwriteups.com
2026-07-02 2026Hack Smarter — City Council (Active Directory) intermediate 20 min read AuthNWriteup detailing the compromise of a City Council Active Directory environment, starting with only an IP address. The process involved initial port scanning with rustscan, web enumeration with gobuster, and reverse engineering an application executable with strings to uncover a service account. The service account's password was then extracted by intercepting application traffic with Wireshark. Finally, BloodHound was used to map the Active Directory structure via credentials obtained for the svc_services_portal account. → infosecwriteups.com
2026-06-30 2026The Red Agent POV: Exploiting Broken Object-Level Authorization in an Airline GraphQL API intermediate 6 min read GraphQLWriteup detailing an automated AI agent's exploitation of Broken Object-Level Authorization (BOLA) in an airline's GraphQL booking API. The agent autonomously mapped the architecture, minted an anonymous session, and leveraged unprotected resolvers with sequential booking IDs to extract sensitive passenger data, including names, addresses, masked credit cards, and flight itineraries, also gaining write capabilities over active bookings. This bypass of frontend authentication highlights the critical need for backend, object-level authorization checks on all API resolvers. → wiz.io
2026-06-27 2026Intigriti Bug Bytes #237 - June 2026 🚀 news 10 min read Bug Bounty RCELibrary focusing on AI security and bug bounty insights, featuring interviews with researchers like Cristian Zot and Leo Racanelli on AI's role in offensive security and securing AI systems. It also highlights the Intigriti Quick Scope (IQS) Burp Suite extension, awarded by PortSwigger, and discussions on balancing AI tooling with human judgment. The entry touches upon exploiting vulnerabilities such as DOMPurify bypasses and insecure CSP rules, alongside tools like AFL++ and Metis for fuzzing and code review. → intigriti.com
2026-06-25 2026TryHackMe — Mr. Robot CTF | Full Write-Up intermediate Bug BountyPlatform: TryHackMe Room: Mr. Robot CTF Difficulty: Medium Author: Shikhali Jamalzade ( @alisalive ) Date: May 2026 Tags: #CTF #TryHackMe #WordPress #PrivilegeEscalation #PenTest #MrRobot “Give a man ... → infosecwriteups.com
2026-06-25 2026Identiverse 2026: The Challenges Of Solving Identity For AI Agents At Scale news 11 min read AITalk summarizing Identiverse 2026 highlights challenges in solving identity for AI agents at scale, mirroring the Hoover Dam's population boom. Key discussions focused on ownership, lifecycle, and least privilege for non-human identities (NHIs) and agents, with emphasis on governance at credential creation, built-in auditability, and agent accountability. Solutions explored include intent-scoped, just-in-time access over API keys, SPIFFE-based attestation, and per-workflow OIDC tokens to eliminate secrets, ensuring secure paths are the default for citizen developers. → blog.gitguardian.com
2026-06-24 2026Wiz launches support for Google Cloud excessive access findings based on audit logs news 2 min readLibrary support for Google Cloud excessive access findings analyzes audit logs, providing visibility into over-provisioned permissions and inactive users/service accounts. This enables organizations to enforce the principle of least-privilege access and prevent privilege escalation, even for customers without IAM Recommender enabled or those on lower Security Command Center pricing tiers. Wiz identifies identity risks that can create attack paths, such as publicly exposed compute instances with excessive privileges. → wiz.io
2026-06-23 2026Secure non-human identities with Wiz’s newest CIEM dashboard intermediate 3 min read SecretsDashboard for securing non-human identities, addressing risks like exposed, privileged, or vulnerable service accounts, with 42% of organizations exhibiting such issues. This CIEM tool offers visibility into machine identities, detects risky service accounts, visualizes activity by country, and prioritizes risks. It leverages attack path analysis to identify lateral movement and data access pathways, aiding security teams in multi-cloud environments without requiring deep expertise in each platform. → wiz.io
2026-06-23 2026New EKS Access Management and Pod Identity features: a security analysis intermediate 9 min readAnalysis of EKS Access Management and Pod Identity features reveals their impact on existing security controls. These new mechanisms, including "access entries" and "access policies" for cloud-to-cluster interaction, and the "eks-pod-identity-agent" for cluster-to-cloud communication, simplify identity management but introduce new complexities in permission auditing. Understanding the "API_AND_CONFIG_MAP" authentication mode and the union of access rules from both EKS API and `aws-config` is crucial for calculating effective permissions, alongside managing the security of identity tokens against lateral movement vectors. → wiz.io
2026-06-23 2026New attack vectors in EKS intermediate 9 min readAnalysis of new EKS attack vectors introduced by EKS Access Entries and Pod Identity, detailing how compromised IAM identities can enumerate accessible clusters via `ListAssociatedAccessPolicies` and `DescribeAccessEntry` APIs. The report further explores privilege escalation possibilities on both cloud and Kubernetes RBAC levels, including scenarios involving `AmazonEKSClusterAdminPolicy`, `AmazonEKSEditPolicy`, and exploitation of exposed secrets or sensitive `ConfigMap` files. → wiz.io
2026-06-23 2026NamespaceHound: protecting multi-tenant K8s clusters intermediate 7 min readTool for assessing Kubernetes multi-tenant cluster risks, NamespaceHound detects potential namespace crossing violations and anonymous access opportunities. This open-source Python CLI tool analyzes cluster configurations to identify attack paths that could lead to cross-tenant security breaches. It helps cluster operators and red teamers by revealing vulnerabilities, extending the PEACH framework for tenant isolation assessment. → wiz.io
2026-06-20 2026Defeating Kubernetes Privilege Escalation: A Cloud Detection & Response Case Study intermediate 3 min readCase study detailing a real-world attack where adversaries escalated privileges from Kubernetes to AWS control planes. The attack leveraged a newly published RCE CVE on an open-source application running on an EKS pod's EC2 instance, which was misconfigured with internet access. This allowed exploitation to gain access to the EC2 instance IAM role via the Instance Metadata Service (IMDS), highlighting the need for rapid, contextualized cloud detection and response. → wiz.io
2026-06-19 2026Data access governance: Who's got the keys to your data kingdom? beginner 4 min readCapabilities for data access governance leverage Wiz DSPM and CIEM to discover sensitive data, analyze effective permissions of human and non-human identities, and govern access to critical data across multi-cloud environments, including Snowflake and OpenAI, while identifying and remediating risky identities with access to sensitive information. → wiz.io
2026-06-19 2026Preventing broken access control in express Node.js applications beginner 11 min read API SecLibrary detailing broken access control vulnerabilities in Express Node.js applications, covering scenarios like unprotected admin panels, predictable user IDs leading to IDOR, and insecure direct object references. It illustrates how to prevent issues such as vertical privilege escalation and horizontal data exposure, emphasizing the risks of clear text logging and insufficient CSRF protection within Express middleware. → snyk.io
2026-06-19 2026I almost ordered a product for free. (Business Logic Vulnerability) beginnerSecurity engineer Sumeet Mahadik discovered a business logic vulnerability that nearly allowed him to order a product for free. While the exact method isn't detailed, the vulnerability presented an opportunity for significant savings. The content is the beginning of a blog post where Mahadik intends to explain his findings. No bounty payout amount is mentioned. → infosecwriteups.com
2026-06-19 2026“Bug Bounty Bootcamp #47: Account Takeover 101 — How to Steal Everyone’s Account (Legally)” beginner IDORThis article from Bug Bounty Bootcamp #47, "Account Takeover 101," explains how to legally perform account takeovers. It highlights common vulnerabilities like Insecure Direct Object References (IDOR), leaked invite links, and mass-assignable "role" fields as key entry points. The content suggests that sophisticated hacking skills are not necessary to exploit these weaknesses. → infosecwriteups.com
2026-06-18 2026New Developments in LLM Hijacking Activity intermediate 3 min read AIWriteup on the JINX-2401 LLM hijacking campaign targeting AWS, detailing IAM privilege escalation tactics and attempts to invoke Bedrock models. This campaign leverages compromised IAM user access keys and employs specific naming conventions for newly created IAM users and policies like "New_Policy". The report also highlights detection strategies for CloudTrail logs and Wiz Defend rules to identify suspicious activity related to LLM abuse and IAM credential misuse. → wiz.io
2026-06-17 2026Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) news 4 min read RCEAnalysis of CVE-2024-50603, an unauthenticated RCE vulnerability in Aviatrix Controller, details its exploitation in the wild for cryptojacking and backdoor deployment, including Sliver and Mirai. This command injection flaw, stemming from improper input neutralization, allows arbitrary command execution and can lead to privilege escalation in AWS control planes. Patched versions 7.1.4191 and 7.2.4996 address this critical vulnerability. → wiz.io
2026-06-17 2026TryHackMe — Checkmate | Full Walkthrough beginner Bug Bounty OSINTThis TryHackMe room, "Checkmate," is an easy-level lab focusing on password attacks, OSINT, and privilege escalation. It simulates an internal network compromise by exploiting an IT employee's weak password habits. The lab involves gaining access to various systems, including a firewall panel and SSH, by leveraging these vulnerabilities. → infosecwriteups.com
2026-06-16 2026How to use the new CloudTrail network activity events for AWS VPC Endpoints intermediate 6 min readReference on AWS VPC Endpoint CloudTrail network activity events, detailing how to enable and utilize these new opt-in events for CloudTrail to gain visibility into API activity traversing VPC Endpoints. It covers using these logs for safely developing VPC Endpoint Policies, detecting data exfiltration, and understanding network connections between VPC services and AWS resources, with specific mention of supported services like S3 and KMS, and considerations for cost and coverage compared to Data Events. → wiz.io
2026-06-16 2026CIEM and Secure Cloud Access: Best Practices from Wiz and CyberArk intermediate 5 min readLibrary integrating Wiz and CyberArk, this resource details best practices for Cloud Infrastructure Entitlements Management (CIEM) and Secure Cloud Access. It emphasizes gaining full visibility into cloud identities and permissions, enforcing least privilege, prioritizing critical attack paths, and implementing Zero Standing Privileges (ZSP). The entry also covers applying privilege controls post-authentication, maintaining continuous identity governance, and enabling on-demand access for unplanned events, aiming to balance security with productivity. → wiz.io
2026-06-16 2026Wiz Data Foundations: Where’s My Sensitive Data—And Who Can Access It? intermediate 3 min readLibrary for cloud data security that offers visibility into sensitive data locations and access controls. It features an agentless scan to detect and classify sensitive data, a Data Stores Treemap for visualizing data distribution by resource type and sensitivity, and multiple workflows to explore access entitlements by data store, identity, or through the Security Graph. The library helps identify who can access sensitive data, how access was granted, and any associated risks, supporting workflows from broad trends to deep, targeted investigations. → wiz.io
2026-06-16 2026Federal Data, Meet your New Bodyguard: DSPM joins Wiz for Government news 3 min readLibrary for automated sensitive data discovery and classification within FedRAMP environments. This DSPM solution provides visualization of data residency, access controls, and attack paths, aiding in compliance with regulations like GDPR, CCPA, HIPAA, FISMA, OMB M-17-12, CMMC, and Zero Trust principles. It supports agentless scanning, custom data classification rules, and AI readiness by identifying sensitive training data and potential leaks, ultimately reducing the data attack surface and accelerating federal data security use cases. → wiz.io
2026-06-16 2026What Analyzing Hundreds of Thousands of Cloud Environments Taught Us About Data Exposure intermediate 2 min readReport analyzing hundreds of thousands of cloud environments, revealing that 54% have exposed VMs and serverless instances with sensitive data, and 35% of these are also vulnerable to critical threats. It highlights that 72% of environments have publicly accessible PaaS databases lacking access controls, and 12% still have exposed and exploitable containers. The findings emphasize the need to prioritize actions based on the context of exposure, vulnerability, and data sensitivity. → wiz.io
2026-06-15 2026What Changed in OWASP Top 10 2025? Full Breakdown & Recommendations beginner 13 min readAnalysis of the OWASP Top 10 2025 identifies two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). Security Misconfiguration has jumped to #2, highlighting risks from continuous deployment without continuous scanning. Broken Access Control (A01) now explicitly includes BOLA and BFLA, crucial for API security. While OWASP's recommendations are sound, their application requires mature SDLC discipline and unified tooling. Software Supply Chain Failures (A03) shows a high incidence rate but low CVE coverage, indicating current attacks with limited scanner detection. Addressing these shifts by category can improve an organization's security posture.
2026-06-15 2026Wiz Research Uncovers Critical Vulnerability in AI Vibe Coding platform Base44 Allowing Unauthorized Access to Private Applications news 8 min read AIWriteup on an authentication bypass vulnerability in the Base44 vibe coding platform, discovered by Wiz Research. Attackers could exploit undocumented registration and email verification endpoints by providing a non-secret `app_id` to create verified accounts for private applications, bypassing SSO and gaining unauthorized access to sensitive enterprise data. The flaw was fixed within 24 hours by Base44 and Wix. → wiz.io
2026-06-15 2026Securing the Digital Future: AppSec Best Practices in Digital Banking beginner 3 min read API SecTalk slides from the Digital Banking Asia Summit 2024 outlining application security best practices for financial services. The presentation highlights key challenges including regulatory compliance, third-party integration, sophisticated attackers, complex architectures, legacy systems, resource limitations, insider threats, and balancing release velocity with security. It also addresses developer-security team disconnects due to lack of shared context, leadership priorities for CTOs and CISOs, and five pillars of success: developer adoption, security trust, effective fix delivery, a comprehensive platform, and a strong partner ecosystem. → snyk.io
2026-06-15 2026BFI’s Journey in Digital Transformation: A Fireside Chat on Elevating Application Security and Developer Experience beginner 2 min read API SecTalk at CISO Indonesia 2024 detailing BFI Finance's shift-left security strategy using Snyk. The discussion highlights BFI's transition from reactive pen tests and container scans to proactive measures like pull request scans, in-development code scans, IaC scans for Terraform, and container scans. Key results include zero critical/high production issues, defined patch grace periods, improved developer experience via IDE and CI/CD integration, and enhanced reporting. Lessons learned emphasize cross-team collaboration and cultural transformation for embedding security standards. → snyk.io
2026-06-14 2026Wiz Research Discovers One in Five Organizations Exposed to Systemic Risks in Vibe-Coded Applications - Here's How to Secure Them intermediate 8 min read API SecLibrary for securing applications built with "vibe coding" platforms like Lovable. It details common risks such as authentication logic living entirely in the browser, API keys and secrets exposed in client-side code, and database tables being wide-open. Solutions include enforcing server-side authentication, proxying API calls through a secure backend, and implementing proper Row-Level Security (RLS) for databases like Supabase. → wiz.io
2026-06-14 2026Beyond CVEs: The Exploitation of Everyday Misconfigurations beginner 6 min read API SecLibrary detailing the exploitation of common cloud application misconfigurations, moving beyond traditional CVEs. It covers unrestricted access, default/weak credentials, excessive permissions, and exposed databases, providing real-world case studies of abuse. Examples include Selenium Grid RCE via arbitrary command execution, Spring Boot Actuator SSRF and sensitive data leakage through heap dumps, and PostgreSQL command execution using the `COPY FROM PROGRAM` feature with weak credentials. The library emphasizes proactive perimeter scanning and shifting security left within CI/CD pipelines to mitigate these risks. → wiz.io
2026-06-14 2026CVE-2025-29927 Authorization Bypass in Next.js Middleware news 3 min read API SecWriteup of CVE-2025-29927, an authorization bypass vulnerability in Next.js middleware. This critical 9.1 severity flaw affects Next.js versions prior to 15.2.3, 14.2.25, and 13.5.9. Attackers can bypass middleware logic and access protected routes by manipulating the `x-middleware-subrequest` HTTP header. Developers are urged to upgrade Next.js versions or apply firewall rules to mitigate the risk. → snyk.io
2026-06-13 2026Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr Labs news 15 min read RCEAnalysis of Splunk Enterprise CVE-2026-20253 details a pre-authentication RCE vulnerability affecting Splunk versions 10 and above. The flaw resides in the PostgreSQL Sidecar Service Endpoint, which, when installed and enabled by default (as on AWS deployments), allows unauthenticated attackers to trigger file operations via a proxied HTTP request to the main Splunk web application. This insecure endpoint, exposed on localhost but accessible through the main interface, can be leveraged for unauthorized actions. → labs.watchtowr.com
2026-06-13 2026Header Manipulation: Bypasses, Probing, and the Security Audit Nobody Does intermediate API SecRequest headers are not mere metadata but critical inputs that can be manipulated. Attackers exploit this to bypass access controls, probe for misconfigurations, spoof identities, and test security. This article delves into header manipulation techniques frequently encountered in penetration testing platforms, emphasizing their role in security assessments. → infosecwriteups.com
2026-06-13 2026Full Fathom Five: The context of Anthropic’s Mythos-class public release beginner 6 min read AIReference detailing Anthropic's Claude Fable 5 release, clarifying it routes cybersecurity prompts to Opus 4.8 and is not for vulnerability discovery. It emphasizes that advanced LLMs aren't required for finding issues like IDORs and business logic flaws, highlighting that misconfigurations, exposed services, and broken identity edges constitute 80% of security problems, not just CVEs. The analysis critiques the fetishization of CVEs and zero-days, suggesting LLM tokens are better utilized for defensive scans, remediation, and exposure management. → aikido.dev
2026-06-13 2026KCD New York 2026: Trust, Agents, and the Work Behind the Work news 8 min read AI API SecTalk slides from KCD New York 2026 cover securing cloud-native systems through zero trust principles with Istio Ambient Mesh, addressing discrepancies in Kubernetes CVE data from sources like MITRE and maintainer discussions, and enabling autonomous multi-cluster remediation via agentic AI and MCP servers. The importance of a "trust ladder" for remediation, starting with recommendations and progressing to opt-in auto-remediation, is highlighted, emphasizing robust identity and RBAC. The event also stressed that community, not just technology, forms the essential infrastructure for open-source projects, with initiatives like contributor onboarding crucial for sustainability. → blog.gitguardian.com
2026-06-12 2026Bringing Oracle Cloud Identity to Wiz intermediate 3 min readLibrary support for Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) provides unified visibility across OCI, AWS, Azure, and GCP. It normalizes OCI's Identity Domains, Compartments, and natural-language policies into Wiz's security graph, allowing analysis of users, groups, service principals, access paths, and OCI API keys. This enables consistent cross-cloud controls and threat analysis by mapping OCI constructs like resource types and permissions to Wiz objects and access types. → wiz.io
2026-06-11 2026Jupyter Enterprise Gateway - From Notebook to Kubernetes Cluster Admin - elttam intermediate 9 min readWriteup detailing three vulnerabilities found in Jupyter Enterprise Gateway v3.2.3, allowing a notebook user to escalate privileges to full Kubernetes cluster administrator. These vulnerabilities, responsibly disclosed to the Jupyter security team and patched in v3.3.0, enable a user to bypass UID/GID restrictions by providing values with trailing spaces, leading to root execution within kernel pods. Combined with hostPath volume mounts, this allows access to sensitive cluster secrets, mounting host filesystems, and the creation of arbitrary privileged pods, potentially compromising the entire cluster.

Frequently Asked Questions

What is broken access control?
Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to other users' data, privilege escalation to admin roles, or performing actions outside the user's intended permissions — such as modifying or deleting resources they should not have access to.
What is the difference between authentication and authorization?
Authentication verifies identity (who are you?), while authorization determines permissions (what can you do?). A user can be properly authenticated but still access resources they shouldn't if authorization checks are missing or flawed. Many critical vulnerabilities arise from this distinction being overlooked.
How do you test for authorization vulnerabilities?
Test by accessing resources with different user roles, manipulating tokens or session cookies, changing IDs in API requests, and attempting to reach admin endpoints as a regular user. Tools like Autorize (Burp extension) automate this by replaying requests with different session tokens to detect missing authorization checks.

Weekly AppSec Digest

Get new resources delivered every Monday.