Apache InLong: Users who joined later can see the data of deleted users
Description
Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users' data. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.5.0 through 1.6.0 have an insecure default resource initialization vulnerability where newly registered users can view data from deleted users.
Apache InLong, a data integration framework, suffers from an insecure default initialization of resource vulnerability affecting versions 1.5.0 through 1.6.0 [2]. The root cause is that when a user is deleted in InLong, the system does not properly remove their associated permissions or resource assignments. This oversight means that newly registered users, who join the system after a deletion, can inherit or access the resources that were originally tied to the deleted user's account [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-daoMaven | >= 1.5.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-pojoMaven | >= 1.5.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-serviceMaven | >= 1.5.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.5.0, < 1.7.0 | 1.7.0 |
Affected products
5- ghsa-coords4 versionspkg:maven/org.apache.inlong/manager-daopkg:maven/org.apache.inlong/manager-pojopkg:maven/org.apache.inlong/manager-servicepkg:maven/org.apache.inlong/manager-web
>= 1.5.0, < 1.7.0+ 3 more
- (no CPE)range: >= 1.5.0, < 1.7.0
- (no CPE)range: >= 1.5.0, < 1.7.0
- (no CPE)range: >= 1.5.0, < 1.7.0
- (no CPE)range: >= 1.5.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h79m-5cm2-278cghsaADVISORY
- lists.apache.org/thread/shvwwr6toqz5rr39rwh4k03z08sh9jmrghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31101ghsaADVISORY
- github.com/apache/inlong/pull/7836ghsaWEB
News mentions
0No linked articles in our index yet.