CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-4q9j-6299-gxmr: Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth

lowCVE-2026-49254
Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the client_secret field. Any network-reachable attacker can read the OAuth client secrets configured for github or google providers, defeating the confidentiality guarantee of those secrets and enabling subsequent abuse against the connected identity providers. Affected versions github.com/dragonflyoss/dragonfly <= v2.4.3 (and current main at commit 46a8f1e). The vulnerable wiring is present back to the introduction of OAuth GET handlers and was not addressed by GHSA-j8hf-cp34-g4j7 / CVE-2026-24124, whose remediation only added jwt + rbac middleware to the /jobs group. Privilege required Unauthenticated. The only precondition is that an administrator has registered at least one OAuth provider via POST /api/v1/oauth (a one-time setup for tenants that enable GitHub / Google sign-in). Vulnerable code manager/router/router.go:134-140 (v2.4.3) — the /oauth group registration: // Oauth. oa := apiv1.Group("/oauth") oa.POST("", jwt.MiddlewareFunc(), rbac, h.CreateOauth) oa.DELETE(":id", jwt.MiddlewareFunc(), rbac, h.DestroyOauth) oa.PATCH(":id", jwt.MiddlewareFunc(), rbac, h.UpdateOauth) oa.GET(":id", h.GetOauth) oa.GET("", h.GetOauths) Note the asymmetry inside the same oa route group: POST, PATCH, and DELETE explicitly attach jwt.MiddlewareFunc(), rbac as per-route middleware, but the two GET handlers omit both. Compare with the sibling group three lines below at manager/router/router.go:143-148, the /clusters group: c := apiv1.Group("/clusters",

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-4q9j-6299-gxmr

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49254coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories