Hay-Kot Mealie Broken Object Level Authorization Vulnerability Allowing Privilege Escalation

A Broken Object Level Authorization vulnerability has been identified in Hay-Kot Mealie version 2.2.0. This vulnerability allows users to edit their own profiles to gain additional permissions or to change their household affiliation. The issue arises in the API component '/api/users/{user-id}', where users can manipulate profile attributes related to permissions and household IDs, actions typically reserved for administrators.

Impact

Exploitation of this vulnerability allows users to escalate their privileges by modifying profile permissions and household associations, enabling unauthorized management of household members and access to shared resources such as recipes and shopping lists.

Reproduction

To reproduce this vulnerability, a user must access their profile editing feature. When the profile is updated, an API call is made to the '/api/users/{user-id}' endpoint. This call can be intercepted and modified to include additional permissions or to change the household ID. Once the API call is sent with the altered data, Mealie will process the request and update the user's profile accordingly, granting them elevated permissions and access to resources from the new household.

Remediation

Users can update to Mealie version 2.5.0, where this vulnerability has been fixed.