TSPortal: Anyone can forge self-deletion requests of any user
Description
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been patched in version 30.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In TSPortal prior to v30, empty string-to-null conversion allows DPA reports to be disguised as self-deletion requests, enabling unauthorized data deletion.
Vulnerability
Overview TSPortal, the WikiTide Foundation's Trust and Safety platform, uses Laravel middleware that converts empty strings to null [1]. In the DPAController, leaving the evidence field empty when creating a DPA report results in a null value, making the report appear as a genuine self-deletion request instead of a DPA report [3]. This flaw exists prior to version 30.
Exploitation
An attacker can create a DPA report against any user by selecting a reason such as suspected underage user and leaving the evidence field empty. The resulting report is indistinguishable from a legitimate self-deletion report, as there is no validation to ensure evidence is provided [3]. No authentication beyond basic access to TSPortal is required.
Impact
Successful exploitation could lead to unauthorized deletion of any arbitrary user's data within TSPortal and potentially in subsequent systems if actioned upon [3]. This undermines the integrity of the report handling process.
Mitigation
The issue has been patched in version 30 by either disabling the convertEmptyStringsToNull middleware or adding validation to require evidence in the DPAController's store method [2][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
miraheze/ts-portalPackagist | < 30 | 30 |
Affected products
2- miraheze/TSPortalv5Range: < 30
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gfhq-7499-f3f2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29788ghsaADVISORY
- api.laravel.com/docs/12.x/Illuminate/Foundation/Configuration/Middleware.htmlghsaWEB
- github.com/miraheze/TSPortal/security/advisories/GHSA-gfhq-7499-f3f2ghsax_refsource_CONFIRMWEB
- issue-tracker.miraheze.org/T15053ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.