Skip to content

Security: Cross-Organization Deployment IDOR in 4 Endpoints (CWE-639) #1088

New issue
New issue
Open
Open
Security: Cross-Organization Deployment IDOR in 4 Endpoints (CWE-639)#1088
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Feb 25, 2026

Summary

Four deployment-related endpoints extract organizationID from the request context but never pass it to the service/storage layer, allowing any authenticated user to access deployment data belonging to other organizations by enumerating deployment IDs.

Affected Endpoints

  1. GetDeploymentById (get_deployment_by_id.go) — Zero authorization check; queries WHERE id = ? only, without any organization scoping.
  2. GetDeploymentLogs (get_deployment_logs.go) — Extracts orgID from context but never passes it to the service or storage layer.
  3. GetLogs (get_logs.go) — Same pattern: extracts orgID but the value is unused in the downstream query.
  4. GetApplicationDeployments (get_application_deployments.go) — Does not extract organizationID at all.

Secure Comparison

GetApplicationById correctly passes organizationID to the storage layer and queries with WHERE id = ? AND organization_id = ?. The four affected endpoints should follow this same pattern.

Impact

Any authenticated user in one organization can:

  • Read deployment details (configuration, environment info, container metadata) belonging to other organizations
  • Read deployment/build logs, which may contain secrets, environment variables, or internal infrastructure details

This is a classic Insecure Direct Object Reference (IDOR) / Broken Object-Level Authorization vulnerability (CWE-639).

Suggested Fix

For each affected endpoint:

  1. Ensure organizationID is extracted from the authenticated context
  2. Pass organizationID to the service and storage layers
  3. Add AND organization_id = ? to all deployment queries, matching the pattern used in GetApplicationById

Example fix for GetDeploymentById:

// Before (vulnerable)
deployment, err := h.storage.GetDeploymentById(id)

// After (secure)
deployment, err := h.storage.GetDeploymentById(id, organizationID)
// Storage layer: WHERE id = ? AND organization_id = ?

Classification

  • CWE-639: Authorization Bypass Through User-Controlled Key
  • Severity: High (cross-tenant data exposure in multi-tenant system)

Found during security audit by Lighthouse. Happy to help with verification or review a fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions