Skip to main content

Apollo Portal EUVDEUVD-2025-210473

| CVE-2025-32781 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-13 https://github.com/apolloconfig/apollo GHSA-jxpj-9j24-w337
6.5
CVSS 3.1 · Vendor: https://github.com/apolloconfig/apollo
Share

Severity by source

Vendor (https://github.com/apolloconfig/apollo) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible API (AV:N), straightforward enumeration once account held (AC:L), any Portal account required (PR:L), no write or availability impact confirmed by description.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/apolloconfig/apollo).

CVSS VectorVendor: https://github.com/apolloconfig/apollo

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:38 vuln.today
Analysis Generated
Jul 13, 2026 - 19:38 vuln.today

DescriptionCVE.org

Summary

Apollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId}.

When configView.memberOnly.envs is enabled for the requested environment, a low-privileged Portal user can supply a valid release ID belonging to an application or namespace they are not authorized to view. The endpoint returns the release data without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...).

Impact

An authenticated attacker who obtains or guesses a valid release ID can read configuration data from other applications and namespaces. Exposed configuration may contain sensitive values such as credentials or service endpoints. The issue does not allow configuration modification and does not directly affect availability.

Affected versions

Apollo Portal versions earlier than 2.5.0 are affected when configView.memberOnly.envs is enabled.

Patches

The issue is fixed in Apollo 2.5.0. The fix adds the missing application and namespace permission check before returning release data.

  • Fix: https://github.com/apolloconfig/apollo/pull/5378
  • Fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291
  • Patched release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0

Workarounds

Upgrade to Apollo 2.5.0 or later. If an immediate upgrade is not possible, backport the permission check from PR #5378 and restrict Apollo Portal access to trusted users until the fix is deployed.

Credits

Apollo Portal thanks @lesignals for reporting this issue.

AnalysisAI

{env}/releases/{releaseId} endpoint fetches and returns a release payload without invoking UserPermissionValidator.shouldHideConfigToCurrentUser(...), meaning a low-privileged user who supplies a valid release ID belonging to a restricted application receives the full configuration - potentially including embedded credentials, database connection strings, and service endpoints. No public exploit has been identified at time of analysis, and exploitation is gated by a non-default configuration setting (configView.memberOnly.envs`), but the practical data sensitivity of Apollo configuration stores makes this a meaningful confidentiality risk.

Technical ContextAI

Apollo is an open-source distributed configuration management platform originally developed by Ctrip, distributed as the Maven artifact com.ctrip.framework.apollo:apollo. Its Portal component exposes a REST API and web UI for operators to manage configuration releases across environments and namespaces. The vulnerable endpoint GET /envs/{env}/releases/{releaseId} accepts a release ID as a path parameter - a sequential integer - and returns the corresponding release object. When the configView.memberOnly.envs feature is enabled for an environment, access to configuration data is supposed to be restricted to users with explicit membership in the owning application or namespace. The enforcement mechanism is UserPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName), which was called in other endpoints but was entirely absent from the release-by-ID handler. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the user controls the releaseId key, the system resolves it to a resource object, but never checks whether the resolved resource belongs to a namespace the requesting user is authorized to access. The fix in PR #5378 inserts a four-line permission check immediately after the release is fetched, throwing AccessDeniedException on unauthorized access.

RemediationAI

Upgrade to Apollo 2.5.0 or later, which adds the missing UserPermissionValidator.shouldHideConfigToCurrentUser(...) call in ReleaseController.java before returning release data (fix PR: https://github.com/apolloconfig/apollo/pull/5378, fix commit: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291, release: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0). If an immediate upgrade is not feasible, the vendor recommends backporting the four-line permission check from PR #5378 directly into the GET /envs/{env}/releases/{releaseId} handler - this is a surgical, low-risk change. As a compensating control prior to patching, restrict Portal access to only fully-trusted personnel by revoking low-privilege accounts, eliminating the PR:L attack surface at the cost of reduced operational access for non-admin users. Do not disable configView.memberOnly.envs as a workaround - doing so broadens configuration visibility to all Portal users rather than restricting it, which is the opposite of the intended control. The vendor-released patch in v2.5.0 is the authoritative fix; the upstream PR and commit are confirmed merged.

Share

EUVD-2025-210473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy