- Status Closed
-
Assigned To
cbay - Private
Opened by deathstormxp - 31.12.2025
Last edited by cbay - 31.12.2025
FS#273 - Race Condition Allows Concurrent Creation of Multiple Database Users Across RabbitMQ,and MySQL......
Affected Endpoint: https://admin.alwaysdata.com/ Severity: Medium
Functionality: Database user provisioning
Affected Services: RabbitMQ, PostgreSQL, MySQL
Vulnerability Type
Race Condition
Business Logic Flaw
CWE: CWE-362 (Race Condition)
Description:
The application does not properly handle concurrent (parallel) requests during database user provisioning.
When multiple creation requests are sent in parallel, the backend processes them simultaneously without enforcing serialization, locking, or queuing. This allows multiple database users to be created at the same time, across several backend services.
Although duplicate names are correctly rejected, the system fails to restrict concurrent provisioning, resulting in uncontrolled creation of database users and triggering infrastructure-level actions.
Steps to Reproduce:
Log in to the admin panel.
Initiate database user creation.
Capture the POST request using Burp Suite.
Send multiple parallel requests (race condition).
When duplicate name validation occurs, change the username.
Immediately resend parallel requests.
Observe that multiple database users are created simultaneously.
Actual Behavior:
Multiple database users are created simultaneously.
Backend services execute provisioning tasks in parallel.
No locking or concurrency control is applied.
Impact
An attacker could:
Mass-create database users rapidly
Abuse provisioning workflows
Trigger repeated service restarts
Exhaust system or paid resources
Note: I have attached some pictures and video as a evidence so you can check it…..
Screenshot 2025-12-31 052030....
(143.5 KiB)
Screenshot 2025-12-31 052209....
(155.7 KiB)
Screen Recording 2025-12-31 0...
(28.91 MiB)
Screenshot 2025-12-31 053839....
(193.5 KiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
I don't understand the report. Yes, you can create multiple users (or do multiple actions) in parallel. How is that a vulnerability?
Kind regards,
Cyril
ok
Test store xss