CVE-2024-29316

Root

Cause

NodeBB 3.6.7 fails to properly enforce authorization checks for administrative interface components. The vulnerability stems from client-side or request-level validation that trusts the isadmin field sent by the user, rather than verifying server-side session privileges. This allows a low-privileged attacker to send a crafted request with "isadmin":true and gain access to tabs and panels intended only for the Admin group [1].

Attack

Vector

An attacker with a standard user account can exploit this by manipulating the HTTP request or WebSocket payload to include the isadmin flag set to true. No special network access or additional authentication is required beyond valid low-privilege credentials. The attack can be carried out through the normal web interface without any preconditions [1].

Impact

Successful exploitation grants the attacker access to privileged administrative controls, including settings and management panels that could lead to full compromise of the NodeBB instance. This includes the ability to modify forum configuration, user data, and potentially the server environment [1]. NodeBB's bug bounty program classifies similar privilege escalation to admin as a Critical severity issue [2].

Mitigation

NodeBB has acknowledged the vulnerability, but as of the publication date no patch has been released for version 3.6.7. Administrators should monitor the official NodeBB repository and security advisories for an update [1][3]. In the interim, restricting account creation and monitoring logs for unusual isadmin flags may reduce risk.