Onlook Web Application tRPC APIs Broken Object Level Authorization Vulnerability

A Broken Object Level Authorization (BOLA) vulnerability has been identified in the Onlook web application version 0.2.32, specifically within the tRPC project mutation APIs that handle updates, deletions, and tag management. This vulnerability arises because the API does not properly verify whether the authenticated user owns or is a member of the project associated with the requested ID. As a result, an authenticated attacker could exploit this flaw by sending a request that includes another user's project ID, allowing them to unlawfully modify, delete, or manipulate tags on that project. Such actions could significantly disrupt data integrity and availability.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications, deletions, or manipulations of project data and tags, severely disrupting data integrity and availability.