bytebase - Improper Authorization
Description
The “Bytebase” application does not restrict low privilege user to access “admin issues“ for which an unauthorized user can view the “OPEN” and “CLOSED” issues by “Admin” and the affected endpoint is “/issue”.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bytebase does not enforce access controls on the /issue endpoint, allowing low-privilege users to view admin-created issues that should be restricted.
The vulnerability resides in Bytebase's authorization logic for the /issue endpoint. Low-privilege users are not restricted from accessing issues that were created by administrators, despite the intended access control design. The affected endpoint exposes both "OPEN" and "CLOSED" issues belonging to the "Admin" user, violating the principle of least privilege [1][4].
An attacker with a low-privilege account can exploit this by simply sending GET requests to the /issue endpoint. No special authentication or elevated privileges are required beyond having a valid low-privilege session. The vulnerability exists because the server does not verify whether the requesting user is authorized to view issues that belong to other roles [1][3].
A successful exploit allows an unauthorized user to read sensitive details from admin-level issues, potentially including database schema change requests, approval workflows, and other confidential operational data. This information disclosure could aid further attacks or expose internal processes [4].
As of version 1.0.4, the vulnerable code exists in the frontend store module that retrieves issues without filtering by principal [3]. Users are advised to upgrade to a patched version of Bytebase as soon as it becomes available. No workaround is documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/bytebase/bytebaseGo | >= 0.1.0, <= 1.0.4 | — |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5rc4-v5mj-g8c4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-32169ghsaADVISORY
- github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/issue.tsghsaWEB
- github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/issue.tsmitrex_refsource_MISC
- www.mend.io/vulnerability-database/CVE-2022-32169ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.