Alteryx Server Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to API Keys

A vulnerability exists in Alteryx Server versions 2022.1.1.42654 and 2024.1 that allows authenticated users to bypass authorization checks and access data belonging to other users. This issue arises from the server's use of MongoDB object IDs to identify requested data without verifying whether the user has permission to access it. By manipulating these object IDs, attackers can retrieve sensitive information such as administrative and private studio API keys from the targeted users' profiles.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive API keys, particularly those of administrative users, allowing attackers to access private workflows, perform administrative actions, and exfiltrate data via the Alteryx Server API.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the Alteryx Server profile API endpoint, including manipulated MongoDB object IDs for userID and subscriptionID. The response will contain the Private Studio API keys and API Access keys of the user associated with the specified IDs.

Remediation

Users are advised to update to Alteryx Server and Client versions 2024.1 or later.