Apache InLong: IDOR make users can delete others' subscription
Description
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.
[1]
https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.2.0 through 1.6.0 allow an attacker to delete other users' subscriptions due to missing permission checks.
CVE-2023-31453 is an incorrect permission assignment for critical resource vulnerability affecting Apache InLong versions 1.2.0 through 1.6.0. The root cause is a missing user authentication check when performing operations on subscriptions, specifically in the "inlong consume" functionality. This allows an attacker to delete subscriptions that belong to other users, even without being the owner of those subscriptions [1][2].
Exploitation
An attacker needs to have network access to an InLong instance and be able to send authenticated requests, but does not need any special privileges beyond a basic user account. The vulnerability resides in the Manager component, where the application fails to verify that the requesting user owns the subscription before allowing deletion [1]. This lack of authorization check means any authenticated user can enumerate and delete existing subscriptions.
Impact
By deleting another user's subscriptions, an attacker can disrupt data ingestion, synchronization, or subscription pipelines that rely on those subscriptions. This could lead to data loss, service unavailability, and potentially broader system instability, as InLong is used for massive data integration scenarios [3].
Mitigation
The vulnerability is fixed in Apache InLong version 1.7.0, which includes proper user authentication for the affected operations. Users unable to upgrade immediately can cherry-pick the specific pull request [1] that addresses the issue. As of the publication date, no workarounds beyond patching have been provided, and the CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-serviceMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
Affected products
3- ghsa-coords2 versions
>= 1.2.0, < 1.7.0+ 1 more
- (no CPE)range: >= 1.2.0, < 1.7.0
- (no CPE)range: >= 1.2.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8rjh-3mhm-966qghsaADVISORY
- lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31453ghsaADVISORY
- github.com/apache/inlong/pull/7949ghsaWEB
News mentions
0No linked articles in our index yet.