Bevy Event Service Account Takeover Vulnerability via SSO Misconfiguration

A vulnerability in the Bevy Event service, affecting all versions prior to July 22, 2025, allows for account takeover when Single Sign-On (SSO) is used. This issue arises when a user changes their email address in Bevy without updating it with their identity provider, leaving a window for an attacker to hijack the account. The vulnerability is rooted in improper access control within the SSO integration.

Impact

Exploitation of this vulnerability allows attackers to take over accounts of legitimate users, gaining access to sensitive or privileged data within Bevy CMS. This could include internal communications, event information, or administrative interfaces, depending on the user's role.

Reproduction

To reproduce this vulnerability, a user must log into Bevy CMS using SSO. After logging in, the user should change their email address within the Bevy CMS account. This change will not be reflected with the identity provider, which will still associate the account with the old email. An attacker can then create a new account using the updated email address and log in via SSO. Bevy CMS will match the attacker's email with the account record, granting access to the original user's account.