hay-kot mealie
Moderate fix1 remedy
cpe:2.3:a:mealie:mealie:*:*:*:*:*:*:*, +2 more
Moderate fix1 remedy
- 2.2.0
Hay-Kot Mealie Broken Object Level Authorization Vulnerability Allowing Permission Edits by Group Managers
Vulnerability
Patched
A Broken Object Level Authorization vulnerability has been identified in Hay-Kot Mealie version 2.2.0. This vulnerability allows group managers to edit their own permissions. The issue arises in the '/households/permissions' component, where group managers can manipulate API calls to change their permission levels or household affiliations, actions typically reserved for administrators.
Impact
Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing group managers to gain additional permissions or access rights within the application.
Reproduction
To reproduce this vulnerability, a group manager can send a request to the '/api/households/permissions' endpoint. By including their own user ID in the request, they can change permissions for themselves, such as gaining the ability to manage household members or access recipes and shopping lists from other households.
Remediation
This vulnerability has been fixed in Hay-Kot Mealie version 2.5.0.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.8impact
1.3exploitability
6.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.