nl-portal-backend CVE-2026-49463
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible GraphQL API requires only a valid user session (PR:L); no integrity or availability impact; high confidentiality loss due to cross-user personal data exposure.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 maven packages depend on nl.nl-portal:besluiten (1 direct, 1 indirect)
- 4 maven packages depend on nl.nl-portal:documenten-api (2 direct, 2 indirect)
Ecosystem-wide dependent count for version 1.5.0 and other introduced versions.
DescriptionGitHub Advisory
Impact
In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:
- Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) - so every version of
nl.nl-portal:documenten-apiever published is affected (the earliest one on Maven Central is0.2.2.RELEASE, published 2023-08-31). - Decisions (
besluiten). A logged-in user could list, search, and read decision records - including their audit trails and the documents attached to them - for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. Thebesluitenmodule was introduced in the1.5.xrelease line (commit9229460b, 2024-08-19), so versions ofnl.nl-portal:besluitenfrom1.5.0through3.0.0are affected.
Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint.
Why these two findings are reported together
They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same - bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.
Patches
Upgrade to 3.0.1 or later.
nl.nl-portal:documenten-api- the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit:32e0ebdf- "Add auth on DocumentContentQuery.kt".nl.nl-portal:besluiten- the entirebesluitenmodule is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit:f592af1b- "Removal of Besluiten API".
Workarounds
For deployments that cannot upgrade immediately:
- Block the following GraphQL operations at the API gateway:
getDocumentContent,getBesluiten,getBesluit,getBesluitAuditTrails,getBesluitAuditTrail,getBesluitDocumenten,getBesluitDocument. - If per-operation blocking is not possible, block the
besluitenmodule's GraphQL types entirely and block the document-content query.
Technical details
nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id)did not declare aCommonGroundAuthenticationparameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by addingauthentication: CommonGroundAuthenticationto the resolver signature, so Spring's argument resolution rejects unauthenticated invocations of the query.nl.nlportal.besluiten.graphql.BesluitenQueryexposed six GraphQL operations -getBesluiten,getBesluit,getBesluitAuditTrails,getBesluitAuditTrail,getBesluitDocumenten,getBesluitDocument- none of which declared aCommonGroundAuthenticationparameter. In particular,getBesluitenaccepted filter arguments (besluitType,identificatie,verantwoordelijkeOrganisatie,zaak,pageNumber) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (getBesluit,getBesluitAuditTrail,getBesluitDocument) returned data for any UUID without ownership checks. The fix is the removal ofBesluitenQuery,BesluitenAutoConfiguration, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.
Credits
Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.
AnalysisAI
Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session in the nl-portal application (PR:L); an attacker must hold a legitimate user account or have obtained session credentials for one. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user of a Dutch government citizen portal sends a GraphQL query to getBesluiten with filter parameters (e.g., verantwoordelijkeOrganisatie set to a known agency) to enumerate decision records across the entire user base, collecting victim BSN identifiers and associated document UUIDs. The attacker then iterates each document UUID through the getDocumentContent resolver to download raw document content - benefit rulings, permit decisions, or objection outcomes - for arbitrary citizens, with no server-side check confirming the documents belong to the requesting account. … |
| Remediation | Upgrade both affected Maven artifacts to version 3.0.1 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qpm9-h556-mwxm