CVE-2020-9300
Description
Netflix Dispatch has multiple access control flaws allowing user privilege escalation and unauthorized access to restricted incidents, patched in v20201106.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netflix Dispatch has multiple access control flaws allowing user privilege escalation and unauthorized access to restricted incidents, patched in v20201106.
Vulnerability
Netflix Dispatch, an open-source incident management application, suffers from multiple access control issues in versions prior to the v20201106 release [1]. These include: a regular user can view a restricted incident, a user can escalate their role to admin, a user can add themselves as a participant in a restricted incident, and a user can view restricted incidents via the search feature [1][2]. The vulnerabilities require the attacker to be an authenticated user, reducing risk if deployed following secure deployment guidelines [1].
Exploitation
An authenticated user with a legitimate account can exploit these issues by performing actions such as manually adding themselves to a restricted incident (issue #649), registering an account with administrative privileges (issue #650), or searching for and viewing restricted incident data that should be filtered (issue #651) [2]. No special network position or additional user interaction beyond standard application usage is required, though the attacker must have an account on the Dispatch instance [1].
Impact
Successful exploitation allows an attacker to gain unauthorized access to restricted incident information, escalate their own privileges to admin, or join restricted incidents as a participant [1][2]. The confidentiality and integrity of the application are compromised, as the attacker can view sensitive data and potentially modify incident configurations with administrative rights. Given Dispatch's typical internal deployment, the attacker would need to already have access to a legitimate user account within the organization, lowering the likelihood of external exploitation [1].
Mitigation
The vulnerabilities have been patched in the v20201106 release of Dispatch, published on 2020-11-06 [1][2]. Users should update to this version immediately. The vendor also published production deployment guidelines to help harden Dispatch deployments; following these guidelines reduces risk [1]. No workaround other than the patch is mentioned. The CVE is not listed on the known exploited vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/Netflix/dispatch/releases/tag/v20201106mitrex_refsource_MISC
- github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.mdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.