Khoj, Insecure Direct Object Reference in Notion OAuth Callback (Critical)

Listen to this Post

The vulnerability is an Insecure Direct Object Reference (IDOR) within Khoj’s Notion OAuth callback endpoint (/notion/auth/callback). The endpoint uses a `state` parameter, intended to be a CSRF token, which is instead directly used as a user UUID without validation. When a user initiates a Notion OAuth flow, the application generates a state containing their UUID. The callback endpoint retrieves this `state` parameter from the incoming request and passes it to `aget_user_by_uuid()` to fetch the corresponding user object. Crucially, there is no verification that the OAuth flow was initiated by the same user whose UUID is in the state. An attacker can therefore start an OAuth flow on their own account, intercept the callback request, and replace the `state` parameter with a victim’s known UUID. The endpoint will then fetch the victim’s user object, delete their existing Notion configuration (NotionConfig.objects.filter(user=user).adelete()), and create a new configuration using the attacker’s newly obtained OAuth access token. This grants the attacker control over the victim’s Notion integration within Khoj, enabling data poisoning and unauthorized access to the synced index.
Platform: Khoj
Version: Not Specified
Vulnerability: IDOR
Severity: Critical
date: Not Specified

Prediction: Patch Expected Q3

What Undercode Say:

Analytics:

grep -r "state = request.query_params" src/
src/khoj/routers/notion.py
state = request.query_params.get("state")
user: KhojUser = await aget_user_by_uuid(state)
await NotionConfig.objects.filter(user=user).adelete()
await NotionConfig.objects.acreate(token=access_token, user=user)

How Exploit:

1. Acquire victim UUID from shared image path.

2. Start Notion OAuth on attacker account.

3. Intercept callback, replace `state` with victim UUID.

4. Attacker token linked to victim account.

Protection from this CVE:

Bind `state` to session. Use signed, unpredictable tokens. Verify flow initiation.

Impact:

Integration hijack. Index poisoning. Unauthorized data access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top