A critical authentication bypass vulnerability has been identified in Alteryx Server versions 2020.2.3.27789, 2021.4.2.47895, 2022.1.1.30961, 2022.1.1.42707, 2023.1.1.123, 2023.1.1.306, 2023.2.1.51, 2024.1.1.49, 2024.1.1.136, 2024.1.1.209, 2024.2.1.41, 2024.2.1.14, 2024.2.1.73, and 2024.2.1.94. This vulnerability resides in the /gallery/api/status/ endpoint, where improper authentication can be exploited remotely without any credentials. The flaw allows unauthorized users to generate authenticated sessions, potentially leading to unauthorized access and actions within the application, especially for users with elevated privileges.
Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized users to gain access to authenticated sessions and perform actions on behalf of the user, including accessing sensitive data and executing workflows.
The vulnerability can be reproduced by sending a POST request to the /gallery/api/auth/sessions/ endpoint with the Windows authentication scheme selected, but without any parameters. This request will return a session ID and other user details, which can be used to authenticate API requests and access user data.
Users can upgrade to Alteryx Server versions 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 or 2025.1.1.1.31 to address this vulnerability. Instructions for upgrading are available in the Alteryx Server Release Notes.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
