Apache InLong: Insecure direct object references for inlong sources
Description
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others' sources! Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 https://github.com/apache/inlong/pull/7775 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache InLong 1.4.0 to 1.6.0, missing permission checks allow users to delete, edit, stop, and start other users' data sources; upgrade to 1.7.0 or apply patch.
Vulnerability
Description
CVE-2023-31066 is an access control vulnerability in Apache InLong, a data integration framework. In versions 1.4.0 through 1.6.0, the application fails to properly verify that a user has permission to modify resources belonging to another user. Specifically, the stream source management endpoints lack authorization checks, allowing any authenticated user to delete, edit, stop, or start sources owned by other users [1].
Attack
Vector and Prerequisites
The vulnerability can be exploited by any authenticated user of the InLong platform. No special privileges are required beyond access to the web interface or API. An attacker can directly interact with the affected endpoints to target sources created by other users. The missing permission checks occur at the service layer, where the user identity is not validated against the resource owner [3].
Impact
A successful exploit allows an attacker to disrupt data pipelines by stopping or starting other users' sources, or altering their configuration. This can lead to data loss, corruption, or service unavailability. In a multi-tenant environment, the ability to modify another user's sources undermines the integrity and reliability of the data integration system [1].
Mitigation
Apache InLong version 1.7.0 includes a fix for this vulnerability. Users unable to upgrade can apply the patch from pull request #7775, which adds permission verification for stream source operations [3]. The fix ensures that modifications to a source are only allowed if the requesting user is the owner or has appropriate group-level permissions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-serviceMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
3- ghsa-coords2 versions
>= 1.4.0, < 1.7.0+ 1 more
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wx79-r3q8-fq9hghsaADVISORY
- lists.apache.org/thread/x7y05wo37sq5l9fnmmsjh2dr9kcjrcxfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31066ghsaADVISORY
- github.com/apache/inlong/pull/7775ghsaWEB
News mentions
0No linked articles in our index yet.