Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle - which the attacker controls - and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.
AnalysisAI
Unauthorized deletion of preview resources in Tuist API allows authenticated attackers to delete arbitrary project previews regardless of ownership. An attacker with valid credentials can manipulate the DELETE endpoint's URL path to pass authorization checks against a project they control, while supplying any preview UUID to delete resources belonging to other users' projects. No public exploit code identified at time of analysis, but exploitation requires only low-complexity API manipulation with standard HTTP tools.
Technical ContextAI
Tuist is a developer platform for Swift application development that provides project preview functionality via REST API. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the authorization plug validates the caller's permissions against the project specified in the URL path parameters (account_handle/project_handle) but the actual deletion operation uses the preview_id UUID parameter without validating ownership linkage. This represents a classic Insecure Direct Object Reference (IDOR) pattern where authorization decisions are made on one object (the URL-specified project) while the action executes against a different object (the UUID-specified preview). The REST API architecture separates the authorization layer from the data access layer without enforcing referential integrity between the path-based project context and the UUID-based resource identifier.
RemediationAI
Upgrade to Tuist version later than 1.180.8 once the vendor releases a patched version per the GitHub Security Advisory GHSA-fqp5-hg46-cp2x at https://github.com/tuist/tuist/security/advisories/GHSA-fqp5-hg46-cp2x - specific fix version not confirmed from available data; monitor the advisory for release announcements. Until patched version is deployed, implement compensating controls: modify the DELETE endpoint authorization logic to validate that the preview_id belongs to the project specified in account_handle/project_handle before executing the deletion (add database query: SELECT project_id FROM previews WHERE id = preview_id and verify it matches the URL path project); alternatively, implement API gateway rules to log all DELETE /api/projects/*/previews/* requests with caller identity for audit trail and anomaly detection, though this does not prevent exploitation; consider temporarily disabling the preview deletion API endpoint entirely if preview cleanup is not operationally critical, with trade-off of preview resource accumulation. Note that authentication credential management remains important as the vulnerability requires valid user credentials.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30483