CVE-2023-50974

In Appwrite CLI versions prior to 3.0.0, the login command saves the user's credentials—such as API keys or session tokens—in a plain-text JSON file located at ~/.appwrite/prefs.json [1][2]. This file is created with Unix file permissions 0644, meaning it is readable by all users on the local system [2]. The root cause is an insecure default permission setting during credential storage, which neglects to restrict access to only the file owner.

An attacker with local access to the system—whether through a shared machine, a compromised low-privilege account, or a malicious process running under a different user—can simply read the prefs.json file without any authentication or elevated privileges [2]. No special conditions are required beyond the ability to read files in the home directory of the user who ran the Appwrite CLI login command. The attack surface is limited to local systems, but in multi-user environments or cloud workstations, the impact can be widespread.

Successful exploitation allows the attacker to obtain the victim's Appwrite credentials, which could include API keys or session tokens. With these credentials, they could impersonate the victim and gain unauthorized access to Appwrite projects, potentially leading to data theft, resource manipulation, or further lateral movement within the Appwrite backend services [1][2].

The vulnerability is fixed in Appwrite CLI version 3.0.0 [2]. Users are strongly advised to update to the latest version. For those unable to upgrade immediately, a manual workaround is to change the permissions of the prefs.json file to 0600 and ensure the credentials are not left accessible to other local users [2].