Moderate severityNVD Advisory· Published Feb 1, 2023· Updated Mar 26, 2025

Improper Authorization in wallabag/wallabag

CVE-2023-0609

Description

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wallabag/wallabagPackagist	>= 2.0.0-alpha.1, < 2.5.3	2.5.3

Affected products

Walla Telesite/Wallabag/wallabagv5
Range: unspecified

Patches

0f7460dbab9e

Merge pull request from GHSA-qwx8-mxxx-mg96

https://github.com/wallabag/wallabagJérémy BenoistFeb 1, 2023via ghsa

commit

2 files changed · +27 −4

src/Wallabag/CoreBundle/Controller/ExportController.php+14 −3 modified

@@ -6,7 +6,6 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\Routing\Annotation\Route;
-use Wallabag\CoreBundle\Entity\Entry;
 
 /**
  * The try/catch can be removed once all formats will be implemented.
@@ -26,9 +25,21 @@ class ExportController extends Controller
      *
      * @return \Symfony\Component\HttpFoundation\Response
      */
-    public function downloadEntryAction(Entry $entry, $format)
+    public function downloadEntryAction(Request $request, $format)
     {
-        try {
+         try {
+            $entry = $this->get('wallabag_core.entry_repository')
+                ->find((int) $request->query->get('id'));
+
+            /**
+             * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
+             *
+             * This should be eventually rewritten
+            */
+            if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
+                throw new NotFoundHttpException();
+            }
+
             return $this->get('wallabag_core.helper.entries_export')
                 ->setEntries($entry)
                 ->updateTitle('entry')

tests/Wallabag/CoreBundle/Controller/ExportControllerTest.php+13 −1 modified

@@ -57,7 +57,7 @@ public function testUnsupportedFormatExport()
         $this->assertSame(404, $client->getResponse()->getStatusCode());
     }
 
-    public function testBadEntryId()
+    public function testNonExistingEntryId()
     {
         $this->logInAs('admin');
         $client = $this->getClient();
@@ -67,6 +67,18 @@ public function testBadEntryId()
         $this->assertSame(404, $client->getResponse()->getStatusCode());
     }
 
+    public function testForbiddenEntryId()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        // Entry with id 3 is owned by the user bob
+        // See EntryFixtures
+        $client->request('GET', '/export/3.mobi');
+
+        $this->assertSame(404, $client->getResponse()->getStatusCode());
+    }
+
     public function testEpubExport()
     {
         $this->logInAs('admin');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000