Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
Firefly III User API Endpoints Expose All Users' Information
GHSA-5q8v-j673-m5v4
Summary
Authenticated users without admin or owner roles can view all users' email addresses, roles, and account status. This could be used for phishing or social engineering attacks or to identify sensitive accounts. Firefly III users should update their API to require admin or owner verification for these endpoints.
What to do
- Update grumpydictator firefly-iii to version 6.5.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| grumpydictator | firefly-iii | > 6.4.23 , <= 6.5.0 | 6.5.1 |
Original title
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Original description
### Summary
The User management API endpoints (`GET /api/v1/users` and `GET /api/v1/users/{id}`) are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status.
### Affected Endpoints
1. **GET /api/v1/users** (UserController::index, line 94) — Lists ALL users with full details. No role check.
2. **GET /api/v1/users/{id}** (UserController::show, line 126) — Shows any user's details by ID. No role check.
### Root Cause (1-of-N Inconsistency)
Other methods in the same controller properly check for the 'owner' role:
- `store()` — `UserStoreRequest::authorize()` checks `auth()->user()->hasRole('owner')` ✓
- `destroy()` — Explicitly checks `$this->repository->hasRole($admin, 'owner')` ✓
But `index()` and `show()` have no role check at all. The route group at `routes/api.php:734-747` has no admin middleware, only the global `auth:api` middleware.
### Exposed Data
The `UserTransformer` (line 40-54) returns:
- `email` — user's email address
- `role` — user's role (owner/demo)
- `blocked` — account blocked status
- `blocked_code` — block reason
- `created_at` / `updated_at` — timestamps
### Impact
Any authenticated user can:
1. Enumerate ALL user accounts in the instance
2. Harvest email addresses for phishing/social engineering
3. Identify admin/owner accounts by role
4. Determine which accounts are blocked
### Exploitation
```bash
# List all users
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users
# View specific user details
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users/1
```
### Suggested Fix
Add owner role checks to `index()` and `show()`, or restrict the route group with admin middleware:
```php
// Option 1: Add check in controller methods
public function show(User $user): JsonResponse
{
if (!$this->repository->hasRole(auth()->user(), 'owner') && auth()->user()->id !== $user->id) {
throw new FireflyException('200025: No access to function.');
}
// ...
}
// Option 2: Add middleware to route group
Route::group(['middleware' => ['admin'], ...], ...)
```
The User management API endpoints (`GET /api/v1/users` and `GET /api/v1/users/{id}`) are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status.
### Affected Endpoints
1. **GET /api/v1/users** (UserController::index, line 94) — Lists ALL users with full details. No role check.
2. **GET /api/v1/users/{id}** (UserController::show, line 126) — Shows any user's details by ID. No role check.
### Root Cause (1-of-N Inconsistency)
Other methods in the same controller properly check for the 'owner' role:
- `store()` — `UserStoreRequest::authorize()` checks `auth()->user()->hasRole('owner')` ✓
- `destroy()` — Explicitly checks `$this->repository->hasRole($admin, 'owner')` ✓
But `index()` and `show()` have no role check at all. The route group at `routes/api.php:734-747` has no admin middleware, only the global `auth:api` middleware.
### Exposed Data
The `UserTransformer` (line 40-54) returns:
- `email` — user's email address
- `role` — user's role (owner/demo)
- `blocked` — account blocked status
- `blocked_code` — block reason
- `created_at` / `updated_at` — timestamps
### Impact
Any authenticated user can:
1. Enumerate ALL user accounts in the instance
2. Harvest email addresses for phishing/social engineering
3. Identify admin/owner accounts by role
4. Determine which accounts are blocked
### Exploitation
```bash
# List all users
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users
# View specific user details
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users/1
```
### Suggested Fix
Add owner role checks to `index()` and `show()`, or restrict the route group with admin middleware:
```php
// Option 1: Add check in controller methods
public function show(User $user): JsonResponse
{
if (!$this->repository->hasRole(auth()->user(), 'owner') && auth()->user()->id !== $user->id) {
throw new FireflyException('200025: No access to function.');
}
// ...
}
// Option 2: Add middleware to route group
Route::group(['middleware' => ['admin'], ...], ...)
```
ghsa CVSS4.0
5.7
Vulnerability type
CWE-863
Incorrect Authorization
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026