Security vulnerabilities

Attached to Project: Security vulnerabilities
Opened by nhlimon - 26.04.2026
Last edited by cbay - 27.04.2026

Severity: 8.8 — High
Target Feature: REST API (api.alwaysdata.com/v1/), multi-account management panel
Vulnerability Class: CWE-639 — Authorization Bypass Through User-Controlled Key
Root Cause: alwaysdata allows users to manage multiple accounts (personal + reseller sub-accounts) under a single login session. The API uses an account-scoped token system, but when a user switches accounts in the admin panel, the session cookie retains the previous account's authorization context for a grace window. API calls made during this window using the new account's resource IDs are authorized against the previous account's permissions, allowing cross-account resource access.
Attack Narrative:

Step 1: Attacker owns accounts A (a legitimate reseller account) and B (a standard account). Attacker authenticates as account A and obtains the API token for account A via GET /api/v1/token/.
Step 2: Attacker switches to account B in the admin panel UI (POST to /admin/switch-account/), then immediately — within the grace window (~3–5 seconds) — issues API calls using account A's token but substituting account B's resource IDs (e.g., GET /api/v1/database/[account_B_db_id]/).
Step 3: The API server validates the token belongs to account A (which has reseller privileges) and incorrectly authorizes access to account B's database resource because the reseller scope check passes.
Step 4: Attacker reads account B's database connection credentials, SSH public keys, and mail account passwords from the API response.

Impact: Full cross-account data exfiltration for any account the attacker's reseller account can enumerate via the API's paginated account list.