Permissions not properly checked in Invenio-Drafts-Resources
Description
Invenio-Drafts-Resources fails to check record ownership on publish, allowing authenticated users to publish others' drafts if they know the record ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Invenio-Drafts-Resources fails to check record ownership on publish, allowing authenticated users to publish others' drafts if they know the record ID.
Vulnerability
Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The publish() method in the service layer calls self.require_permission(identity, "publish") without passing the record object, so the RecordOwners need generator defaults to allowing any authenticated user when no record is provided [1][2]. This affects default installations of InvenioRDM.
Exploitation
An authenticated attacker can publish draft records of other users via REST API calls if they know the record identifier and the draft validates (e.g., all required fields are filled). No special privileges or user interaction is required beyond authentication [1][2].
Impact
The attacker gains the ability to publish another user's draft record, making it publicly visible (or visible according to the record's access settings). However, the attacker cannot modify the data in the record, so they cannot change access restrictions (e.g., from restricted to public) [1][2].
Mitigation
The issue is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which are included in InvenioRDM v6.0.1 and v7.0 respectively [1][2]. Users should upgrade to these versions. There is no known workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
invenio-drafts-resourcesPyPI | < 0.13.7 | 0.13.7 |
invenio-app-rdmPyPI | < 6.0.5 | 6.0.5 |
invenio-rdm-recordsPyPI | < 0.32.6 | 0.32.6 |
invenio-drafts-resourcesPyPI | >= 0.14.0, < 0.14.6 | 0.14.6 |
invenio-rdm-recordsPyPI | >= 0.33.0, < 0.33.10 | 0.33.10 |
invenio-app-rdmPyPI | >= 7.0.0.dev0, < 7.0.0.dev5 | 7.0.0.dev5 |
Affected products
4- ghsa-coords3 versions
< 6.0.5+ 2 more
- (no CPE)range: < 6.0.5
- (no CPE)range: < 0.13.7
- (no CPE)range: < 0.32.6
- Range: < 0.13.7
Patches
1039b0cff1ad4security: fix missing permission check of publish
1 file changed · +1 −2
invenio_drafts_resources/services/records/service.py+1 −2 modified@@ -267,10 +267,9 @@ def publish(self, id_, identity, uow=None): into records) - Create or update associated (published) record with data """ - self.require_permission(identity, "publish") - # Get the draft draft = self.draft_cls.pid.resolve(id_, registered_only=False) + self.require_permission(identity, "publish", record=draft) # Validate the draft strictly - since a draft can be saved with errors # we do a strict validation here to make sure only valid drafts can be
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-xr38-w74q-r8jvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43781ghsaADVISORY
- github.com/inveniosoftware/invenio-drafts-resources/commit/039b0cff1ad4b952000f4d8c3a93f347108b6626ghsax_refsource_MISCWEB
- github.com/inveniosoftware/invenio-drafts-resources/security/advisories/GHSA-xr38-w74q-r8jvghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/invenio-app-rdm/PYSEC-2021-837.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/invenio-drafts-resources/PYSEC-2021-836.yamlghsaWEB
News mentions
0No linked articles in our index yet.