High severity7.2NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-25700

Description

Improper Restriction of Security Token Assignment vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

Affected products

Apache/Answerllm-fuzzy
Range: <=2.0.0

Patches

6fc25c69f4ef

fix(auth): add API key scope checks to enhance authorization security

https://github.com/apache/incubator-answerLinkinStarsMar 3, 2026Fixed in 2.0.1via llm-release-walk

commit

1 file changed · +28 −0

internal/base/middleware/auth.go+28 −0 modified

@@ -116,6 +116,10 @@ func (am *AuthUserMiddleware) MustAuthWithoutAccountAvailable() gin.HandlerFunc
 			ctx.Abort()
 			return
 		}
+		// Check API key scope
+		if am.AuthAPIKeyScope(ctx, token) {
+			return
+		}
 		userInfo, err := am.authService.GetUserCacheInfo(ctx, token)
 		if err != nil || userInfo == nil {
 			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
@@ -141,6 +145,10 @@ func (am *AuthUserMiddleware) MustAuthAndAccountAvailable() gin.HandlerFunc {
 			ctx.Abort()
 			return
 		}
+		// Check API key scope
+		if am.AuthAPIKeyScope(ctx, token) {
+			return
+		}
 		userInfo, err := am.authService.GetUserCacheInfo(ctx, token)
 		if err != nil || userInfo == nil {
 			handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
@@ -226,6 +234,26 @@ func (am *AuthUserMiddleware) CheckPrivateMode() gin.HandlerFunc {
 		ctx.Next()
 	}
 }
+
+func (am *AuthUserMiddleware) AuthAPIKeyScope(ctx *gin.Context, accessToken string) (apiHaveNoScope bool) {
+	if !strings.HasPrefix(accessToken, "sk_") {
+		return false
+	}
+	var err error
+	pass, err := am.authService.AuthAPIKey(ctx, ctx.Request.Method == "GET", accessToken)
+	if err != nil {
+		handler.HandleResponse(ctx, errors.Forbidden(reason.ForbiddenError), nil)
+		ctx.Abort()
+		return true
+	}
+	if !pass {
+		handler.HandleResponse(ctx, errors.Forbidden(reason.ForbiddenError), nil)
+		ctx.Abort()
+		return true
+	}
+	return false
+}
+
 func ShowIndexPage(ctx *gin.Context) {
 	ctx.Header("content-type", "text/html;charset=utf-8")
 	ctx.Header("X-Frame-Options", "DENY")

869b040e92d6

fix(auth): enhance admin user cache management and add status checks for email verification and suspension

https://github.com/apache/incubator-answerLinkinStarsFeb 6, 2026Fixed in 2.0.1via llm-release-walk

commit

2 files changed · +48 −1

internal/base/middleware/auth.go+15 −0 modified

@@ -184,7 +184,22 @@ func (am *AuthUserMiddleware) AdminAuth() gin.HandlerFunc {
 			return
 		}
 		if userInfo != nil {
+			if userInfo.EmailStatus == entity.EmailStatusToBeVerified {
+				_ = am.authService.RemoveAdminUserCacheInfo(ctx, token)
+				handler.HandleResponse(ctx, errors.Forbidden(reason.EmailNeedToBeVerified),
+					&schema.ForbiddenResp{Type: schema.ForbiddenReasonTypeInactive})
+				ctx.Abort()
+				return
+			}
+			if userInfo.UserStatus == entity.UserStatusSuspended {
+				_ = am.authService.RemoveAdminUserCacheInfo(ctx, token)
+				handler.HandleResponse(ctx, errors.Forbidden(reason.UserSuspended),
+					&schema.ForbiddenResp{Type: schema.ForbiddenReasonTypeUserSuspended})
+				ctx.Abort()
+				return
+			}
 			if userInfo.UserStatus == entity.UserStatusDeleted {
+				_ = am.authService.RemoveAdminUserCacheInfo(ctx, token)
 				handler.HandleResponse(ctx, errors.Unauthorized(reason.UnauthorizedError), nil)
 				ctx.Abort()
 				return

internal/service/auth/auth.go+33 −1 modified

@@ -145,7 +145,39 @@ func (as *AuthService) RemoveTokensExceptCurrentUser(ctx context.Context, userID
 // Admin
 
 func (as *AuthService) GetAdminUserCacheInfo(ctx context.Context, accessToken string) (userInfo *entity.UserCacheInfo, err error) {
-	return as.authRepo.GetAdminUserCacheInfo(ctx, accessToken)
+	adminCacheInfo, err := as.authRepo.GetAdminUserCacheInfo(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+	if adminCacheInfo == nil {
+		return nil, nil
+	}
+
+	// Keep admin authorization aligned with user-token lifecycle and status refresh.
+	refreshedUserCacheInfo, err := as.GetUserCacheInfo(ctx, accessToken)
+	if err != nil {
+		return nil, err
+	}
+	if refreshedUserCacheInfo == nil {
+		if err = as.authRepo.RemoveAdminUserCacheInfo(ctx, accessToken); err != nil {
+			return nil, err
+		}
+		return nil, nil
+	}
+
+	adminCacheInfo.UserStatus = refreshedUserCacheInfo.UserStatus
+	adminCacheInfo.EmailStatus = refreshedUserCacheInfo.EmailStatus
+	if refreshedUserCacheInfo.RoleID > 0 {
+		adminCacheInfo.RoleID = refreshedUserCacheInfo.RoleID
+	}
+	if len(refreshedUserCacheInfo.ExternalID) > 0 {
+		adminCacheInfo.ExternalID = refreshedUserCacheInfo.ExternalID
+	}
+
+	if err = as.authRepo.SetAdminUserCacheInfo(ctx, accessToken, adminCacheInfo); err != nil {
+		return nil, err
+	}
+	return adminCacheInfo, nil
 }
 
 func (as *AuthService) SetAdminUserCacheInfo(ctx context.Context, accessToken string, userInfo *entity.UserCacheInfo) (err error) {

Vulnerability mechanics

Root cause

"Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated."

Attack vector

An attacker with a previously issued administrative token can continue to access administrative APIs even after the associated administrator account has been suspended, deleted, or deactivated. This access persists until the token naturally expires. The vulnerability allows for continued administrative access through un-invalided security tokens.

Affected code

The vulnerability is addressed in `internal/base/middleware/auth.go` by adding checks for user and email status within the `AdminAuth` middleware [patch_id=5502052]. A new function `AuthAPIKeyScope` is also introduced in the same file [patch_id=5502051]. The `internal/service/auth/auth.go` file is modified to refresh user cache information and align admin authorization with user token lifecycle and status [patch_id=5502052].

What the fix does

The patch introduces checks to ensure that administrative tokens are properly invalidated when an administrator account's status changes. Specifically, the `AdminAuth` middleware now checks for `EmailStatusToBeVerified`, `UserStatusSuspended`, and `UserStatusDeleted` before allowing access. If any of these conditions are met, the corresponding admin user cache information is removed, and access is denied [patch_id=5502052]. Additionally, a new `AuthAPIKeyScope` function was added to check API key scopes, enhancing authorization security [patch_id=5502051].

Preconditions

authAn administrator must have previously been issued a security token.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.apache.org/thread/ftw52mlxknjm29vo1mnqovj53z2kh96ynvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000