Apache InLong: General user Unauthorized access User Management
Description
Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,
General user can view all user data like Admin account.
Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8623
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-43666 in Apache InLong 1.4.0 through 1.8.0 allows unprivileged users to view all user data, including admin accounts.
CVE-2023-43666 is an insufficient verification of data authenticity vulnerability in Apache InLong, affecting versions from 1.4.0 through 1.8.0. The root cause is a lack of proper authorization checks in the user API, which allows a general user to view all user data, including admin accounts [1][2].
The attack surface is the InLong Manager's user API. An attacker only needs to be an authenticated general user (non-admin) to exploit this flaw; no additional privileges are required. By making API requests that should be restricted, the attacker can enumerate sensitive user information [2].
The impact is that an attacker can obtain the complete list of users and their details, potentially including administrative accounts. This information leakage could be used to target higher-privilege accounts or inform further attacks [2].
The vulnerability is fixed in Apache InLong 1.9.0 and via a cherry-pick of the commit from pull request #8623 [1]. Users are strongly advised to upgrade or apply the patch immediately. No workarounds have been published, and as of the publication date, this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:inlongMaven | >= 1.4.0, < 1.9.0 | 1.9.0 |
Affected products
2- Range: 1.4.0
Patches
16b50691690f3[INLONG-8622][Manager] User API Permissions Optimization (#8623)
1 file changed · +4 −1
inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/UserController.java+4 −1 modified@@ -27,6 +27,7 @@ import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; +import org.apache.shiro.authz.annotation.Logical; import org.apache.shiro.authz.annotation.RequiresRoles; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.validation.annotation.Validated; @@ -74,12 +75,14 @@ public Response<UserInfo> getById(@PathVariable Integer id) { @GetMapping("/user/getByName/{name}") @ApiOperation(value = "Get user by name") + @RequiresRoles(logical = Logical.OR, value = {UserRoleCode.INLONG_ADMIN, UserRoleCode.INLONG_OPERATOR}) public Response<UserInfo> getByName(@PathVariable String name) { return Response.success(userService.getByName(name)); } @PostMapping("/user/listAll") @ApiOperation(value = "List all users") + @RequiresRoles(logical = Logical.OR, value = {UserRoleCode.INLONG_ADMIN, UserRoleCode.TENANT_ADMIN}) public Response<PageResult<UserInfo>> list(@RequestBody UserRequest request) { return Response.success(userService.list(request)); } @@ -93,7 +96,7 @@ public Response<Integer> update(@Validated @RequestBody UserRequest userInfo) { @DeleteMapping("/user/delete") @ApiOperation(value = "Delete user by id") - @RequiresRoles(value = UserRoleCode.TENANT_ADMIN) + @RequiresRoles(value = UserRoleCode.INLONG_ADMIN) public Response<Boolean> delete(@RequestParam("id") Integer id) { String currentUser = LoginUserUtils.getLoginUser().getName(); return Response.success(userService.delete(id, currentUser));
Vulnerability mechanics
Root cause
"Missing role-based access control annotations on user-management API endpoints allow any authenticated user to retrieve all user data."
Attack vector
An attacker with a low-privileged (general user) account can call the `/user/getByName/{name}` or `/user/listAll` endpoints without proper authorization checks [CWE-345]. Because the controller methods lacked `@RequiresRoles` annotations, the server does not verify that the caller holds an administrative role before returning sensitive user information. This allows a general user to enumerate all user accounts and view details that should be visible only to admins.
Affected code
The vulnerability is in the `UserController.java` file of the `inlong-manager` module. The `getByName` and `listAll` endpoints lacked role-based access control annotations, allowing any authenticated user to query user data. The `delete` endpoint was incorrectly restricted to `TENANT_ADMIN` instead of `INLONG_ADMIN`.
What the fix does
The patch adds `@RequiresRoles` annotations to the `getByName` and `listAll` methods, restricting them to `INLONG_ADMIN`/`INLONG_OPERATOR` and `INLONG_ADMIN`/`TENANT_ADMIN` respectively [patch_id=1640595]. It also changes the `delete` endpoint's role from `TENANT_ADMIN` to `INLONG_ADMIN`, ensuring only the highest-privilege role can delete users. These annotations enforce server-side authorization checks before returning user data, closing the privilege escalation.
Preconditions
- authAttacker must have a valid authenticated session as a general (non-admin) user.
- networkThe affected endpoints (/user/getByName, /user/listAll) must be reachable over the network.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-wj6q-chpv-mcrxghsaADVISORY
- lists.apache.org/thread/scbgh3ty3xcxm3q33r2t9f42gwwo1whyghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-43666ghsaADVISORY
- github.com/apache/inlong/pull/8623ghsaWEB
News mentions
0No linked articles in our index yet.