CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qpm9-h556-mwxm: NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries

mediumCVSS 6.5CVE-2026-49463
Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) — so every version of nl.nl-portal:documenten-api ever published is affected (the earliest one on Maven Central is 0.2.2.RELEASE, published 2023-08-31). - Decisions (besluiten). A logged-in user could list, search, and read decision records — including their audit trails and the documents attached to them — for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The besluiten module was introduced in the 1.5.x release line (commit 9229460b, 2024-08-19), so versions of nl.nl-portal:besluiten from 1.5.0 through 3.0.0 are affected. Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint. Why these two findings are reported together They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same — bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qpm9-h556-mwxm

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49463coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories