@saltcorn/data: Tenant user role is used for tenant creation role check

View on GitHub ↗

Description

Summary

When a tenant admin is logged out of the root domain (e.g., saltcorn.com) but logged in to their own tenant space as admin, they can simply append /tenant/create to their tenant URL. The system reads the role from the tenant context (admin), and a new tenant is created on the root domain (in PUBLIC SCHEMA > _sc_tenants), rather than in the tenant's own _sc_tenants table.

If the same logic applies to other routes, a tenant admin effectively gains admin rights on the root domain.

PoC

A tenant-created subtenant appears under the Saltcorn public schema instead of the tenant's own schema.

  • Even when role_id=1 is required for tenant creation on saltcorn.com (only admin can create tenants), existing tenant admins can still create new tenants because their local role_id:1 is evaluated against the root domain.
  • Even when role_to_create_tenant is set to 0 in the tenant's _sc_config schema, or removed entirely, the tenant admin can still create sub-tenants on the root domain — suggesting role_to_create_tenant is not being read at all.

Impact

Tenant admins gain unauthorized admin-level access to the root domain. Any authenticated tenant admin can perform privileged operations (e.g., creating tenants) on the root domain by exploiting the role context mismatch.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-22 14:31:34 UTC
Updated
2026-04-22 14:31:35 UTC
GitHub reviewed
2026-04-22 14:31:34 UTC

CVSS Scores

Base score Version Severity Vector
8.7 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-9237-rg5p-rhfw ↗

CWEs

CWE id Name
CWE-863 Incorrect Authorization

Credits

  • j2l (reporter)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @saltcorn/data < 1.4.4 1.4.4
npm @saltcorn/data >= 1.5.0-beta.0, < 1.5.2 1.5.2
npm @saltcorn/data >= 1.6.0-alpha.0, < 1.6.0-beta.2 1.6.0-beta.2

References

cvelogic Threat Intelligence